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This  thesis  is  a  primer  on  the  subject  of  computer  security.  It  is 
written  for  the  use  of  computer  systems  managers  and  addresses 
basic  concepts  of  computer  security  and  risk  analysis.  An  example 
of  the  techniques  employed  by  a  typical  military  data  processing 
center  is  included  in  the  form  of  the  written  results  of  an  actual 
on-site  survey.  Computer  security  is  defined  in  the  contect  of  its 
scope  and  an  analysis  is  made  of  those  laws  and  regulations  which 
direct  the  application  of  security  measures  into  Automatic(Continue 
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Data  Processing  Systems.  Finally,  a  list  of  sosw  of  the  major 
threats  to  coBq>uter  security  and  the  (^ontermeasures  typically 
e9q>loyed  to  combat  those  threats  is  presented. 
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During  th«  last  flftsan  jmatB,  the  use  of  cosputers  and 
other  autoaatic  data  processing  eguipsent  has  increased  at 
an  exponential  rate  and  sany  cosputer  industry  analysts 
predict  that  the  proliferation  of  coaputer  applications  will 
continue  into  the  next  century.  To  hasp  pace  with  the 
deaand  for  better  and  faster  systess,  the  coaputer  industry 
has  responded  with  adwances  in  hardware  and  software  tech- 
nology,  systea  design  aethodology,  iaprowed  aanageaent 
philosophies  and  siailar  iaproweaents  in  alaost  all  other 
coaputer-related  disciplines.  One  ar^a  that  has  lagged 
behind  the  technology  avalanche  is  that  of  coaputer 
security.  The  annual  loss  of  perhaps  aillions  of  dollars 
through  deliberate  and  covert  penetrations  of  coaputer-based 
inforaation  systeas  as  reported  by  Allen  and  as  partially 
listed  in  Table  I  is  lerely  the  tip  of  the  iceberg.  There 
are  aany  coapanies  that  withhold  acknowledgeaents  of 
successful  penetrations  of  their  systeas  and  many  who  are 
non  aware  that  their  systeas  have  been  penetrated.  There 
are  penetrations  that  coaproaise  classified  inforaation  and 
penetrations  that  cause  personal  loss  through  the  violation 
of  priracy.  If  one  were  to  put  a  true  monetary  value  on  all 
the  losses  aentioned  here,  Allan's  estiiata  of  millions  of 
dollars  lost  would  be  pale  by  comparison.  The  severity  of 
the  coaputer  security  problem  and  the  gigantic  financial  and 
personal  losses  that  it  involves  aight  lead  one  to  believe 
that  the  computer  industry,  the  federal  jovernoent,  or  the 
academic  coaaunity  would  have  long  ago  discovered  a  remedy. 
While  it  would  not  be  realistic  to  expect  a  method  for 
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gaaranteeing  a  on«-huadr«d  par  cent  secure  systee*  it  is 
reasonable  to  expect  that  a  coaputer  based  inforsation 
systes  could  be  constructed  that  would  at  least  prewenr  sost 
of  the  penetrations.  The  truth  is  that  the  technology  and 
the  procedures  are  available  and  they  would  be  effective  if 
coeputer  systems  sanagers  would  only  use  then.  The  reasons 
for  not  using  coaputer  security  aea suras  will  be  covered 
later.  Suffice  it  to  say  at  this  point  that  aanagers  are 
finally  waking  up  to  the  fact  that  coaputer  security  is 
soae thing  to  be  concerned  about. 

The  current  and  increasing  concern  for  data  security  is 
the  result  of  three  major  interrelated  factors. 

The  first  is  the  dramatic  technological  .advancement  in 
automatic  data  processing  equipment  and  software  systems 
mentioned  briefly  above.  In  a  modern  coaputer  environment, 
multiple  jobs  and/or  multiple  users  can  concurrently  access 
the  facilities  and  the  stored  data  of  the  system. 
Computation  speeds  are  fast  approaching  billions  of  opera¬ 
tions  per  second,  and  the  amount  of  stored  data  ranges  well 
into  the  billions  of  bytes.  Bach  of  a  variety  of  users  has  a 
variable  security  authorization  and  the  data  sets  themselves 
have  diverse  security  requirements. 

The  second  factor  is  the  increasing  need  of  science, 
industry  and  government  for  processing  vast  quantities  of 
data  as  quickly  as  possible.  Further,  decreasing  per-unit 
processing  and  storage  costs  have  increased  the  number  of 
applications  economically  feasible  to  automate. 

The  third  factor,  the  result  of  greater  availability  of 
communications  facilities  and  terminal  devices,  is  the 
increasing  emphasis  cn  providing  computer  access  at  remote 
operations  levels.  Much  effort  in  recent  years  has  been 
devoted  to  simplifying  the  interface  between  the  user  and 
the  computer.  As  a  result,  many  systems  provide  guidance 
and  computer-  assisted  instrucricns  to  help  the  user  become 
increasingly  productive  and  increasingly  knowledgeable. 


Thesd  d«Telopa«nts  ha^e  lad  to  systeas  that  paralt  the 
ttsers  to  do  their  jobs  faster  aad  better.  Is  the  access  to 
inforsation  is  extended,  however,  so  east  the  security 
measures  that  control  this  access.  The  computer  systeas 
manager  faces  increas singly  difficult  decisions  as  a  result 
of  this  information  extension.  The  decisions  stem  from  the 
need  to  balance  the  risk  of  the  loss  threatened  with  the 
cost  of  count  eraeastisres.  Sisk  management,  as  this 

balancing  process  is  called,  is  an  imprecise  science  and  is 
a  relatively  new  field  of  study  for  the  computer  profes¬ 
sional.  hs  such,  the  subjectire  assessments  and  judgements 
of  the  manager  must  be  inordinately  reliad  upon  throughout 
the  process.  The  scope  of  the  security  problem  approaches 
infinity  and  the  tern  "secure"  must  be  considered,  at  best, 
a  temporary  state  of  any  system.  The  budget  constraints  of 
many  organizations,  both  public  and  private,  tend  to  limit 
the  programs  and  projects  that  managers  can  pursue.  If 
those  organizations  have  never  experienced  security  prob¬ 
lems,  t^e  opposition  by  upper  level  management  to  the 
application  of  security  measures  can  be  anticipated.  One 
final  aspect  of  computer  security  can  complicate  the  manag¬ 
er's  task.  Even  if  the  conscious  decision  by  all  levels  of 
management  is  made  to  install  secuity  safeguards,  the  task 
of  retro-fitting  an  unsecure  system  is  not  easy.  The 
process  of  "designing  in"  security  is  much  more  preferable 
and  the  historical  efforts  to  "bolt  on"  security  have  been 
expensive  and  largely  unsuccessful  due  to  a  lack  of  sophist¬ 
icated  analysis. 

The  computer  systems  manager,  and  more  explicitly,  the 
security  manager  must  possess  a  myriad  of  skills  and  abili¬ 
ties,  foremost  of  which  is  the  ability  to  produce  cost 
effective  techniques  for  maintaining  or  raising  the  security 
level  of  his  system  without  significantly  increasing  the 
complexity  of  the  user  interface.  He  must  also  be  capable  of 
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constant  Tigilanca  for  as  soon  as  ha  ralaxas,  tha  adaantaga 
gcas  to  tha  potantial  panatrator. 

Good  sacnrlty  is  not  a  eonglosaration  of  IndiTidaal 
countarsaasnras  fanding  off  spaeific  sacnlty  thraats.  it  is 
a  wall  designad  swat a ■  of  coant a raaa suras  that  act  in  unison 
to  protact  tha  whola  systas.  Risk  aanagaaant  is  tha  proeass 
by  which  this  dasign  is  construe tad  and  iaplaaantad. 

B.  OBJBCTZTBS 

Bany  foraal  aducation  prograas  ara  gsarad  axplicitly  to 
the  prospactiwa  coaputar  systaas  aanagar.  Bhila  thasa 
prograas  prowida  tha  would-ba  aanagar  with  the  general 
skills  required  of  tha  occupation,  aost  of  thaa  only  briefly 
address  coaputar  security  and  then  only  as  an  ancillary 
topic.  The  object iwe  of  this  thesis  is  to  suppleaent  foraal 
coaputar  systeas  educaticn  by  providing  the  junior  coaputar 
systeas  aanagar  with  a  non^technical,  conversational  know 
ledge  of  coaputar  security.  Toward  this  and,  a  aoderately 
concise  definition  of  the  subject  is  presented  along  with  an 
assessaent  of  the  subject  scope.  Additionally,  a  brief  over* 
view  and  analysis  of  the  laws  and  regulations  pertaining  to 
coaputer  security  is  presented.  This  is  followed  by  a 
discussion  of  risk  uanageaent  and  soae  of  the  techniques  it 
employs.  An  enuaeration  of  the  chief  threats  to  coaputer 
security  and  the  counteraeasures  typically  eaployed  to 
coabat  those  threats  follows  and  finally,  the  results  of  a 
coaputer  security  survey  of  an  actual  military  data  proces¬ 
sing  center  is  offered  as  an  exercise  in  security  assessaent 
and  as  an  indicator  of  how  coaputer  security  is  addressed  in 
the  real  world. 


ii«  sftsmi  snim  mms 

Host  litsr stars  asaling  with  ths  sabjset  of  cospatsr 
sscarltf  attssptsv  at  soas  point,  to  dsfins  ths  tsra.  k 
fault  with  saay  of  thsss  dsf&nitions  is  that  thsy  ars 
prsssntsd  in  abstract,  and  thsrsfors,  not  vary  nssfal  tsrss. 
Othsrs,  although  adsquatsly  dafining  coiputsr  sscurity  in 
ossful  tsras,  fail  to  dsscribe  its  scope.  Sines  ths  scops  of 
ths  tsra  is  surprisingly  broad,  a  good  working  dsfinition 
should  includs  at  least  an  owsrwisw  of  the  topic.  One  of  ths 
few  useful  definitions  of  coaputsr  sscurity  encountered  in 
ths  literature  survey  for  this  thesis  coees  froa  Pritchard 
[Ref.  2:  p.  7].  In  his  book,  Pritchard  describes  general 
classifications  of  losses  due  to  breaches  in  coaputer 
security.  These  classifications  are: 

A.  Loss  of  systea  availability 

B.  Loss  of  systes  integity 

C.  Loss  of  systes  confidentiality 

In  order  to  fully  appreciate  a  computer  security  defini¬ 

tion,  it  is  useful  to  be  acquainted  with  the  scope  of  the 
subject.  Although  the  subject  of  risk  analysis  will  be 
treated  in  later  chapters,  in  order  to  adequately  describe 
the  scope  of  coaputer  security,  it  is  useful  to  present  a 
overview  analysis  of  threat  classifications  at  this  point  in 
order  to  give  the  reader  some  indication  of  the  size  of  the 
problem.  asinq  Prichard's  loss  classifications,  general 
threat  categories  are  listed  below: 


A.  LOSS  or  sTSTn  AfizL&Biurr 

Th«c«  ar«  aanr  mys  that  aystaa  availability  can  ba 
affactad.  Dapandiag  on  tba  sis a  and  tha  distsibutad  natara 
of  any  particular  systas,  tha  ganacal  assats  of  that  systaa 
inclnda  savan  basic  catagorias.  Tha  gaaaral  vnlnarabilitias 
of  aach  assat  catagory  ara  llstad  in  tha  following  sactions. 

1*  BaiflSgflSt 

Tha  hardvara  of  any  systaa  is  tha  foundation  upon 
which  all  othar  coaponants  of  a  coaputarizad  inforaation 
systaa  cast.  Shan  hacdwara  assats  ara  lost,  systaa  parfor> 
aanca  dacreasas  >  soaatiaas  to  zaro.  Soaa  ganaral 
ulnarabllitias  of  hacdwara  ara: 
support  dapandency 
physical  attack 
design  rallability 
natural  catastrophe 
operator  dapandency 

2«  Software 

Software  is  the  collection  of  instructions  that 
directs  the  hardware  through  its  required  operations.  As 
software  assets  are  lost,  soaa  aeasure  of  perforaanca  is 
also  lost,  soaa  general  software  vulnerabilities  related  to 
systaa  availability  ace: 

•  susceptibility  to  aodification 

•  wide  accessibility 

•  ability  to  hide  subversion  techniques 

•  design  reliability 


3*  Data  DoemmitatiQn 

Th«M  two  ooapatar  ijataa  asswts  ara  groapad 
togathac  bacaaaa  thay  ara  eloaaly  ralatad  la  that  thay  ara 
both  Tolnarabla  to  aiailar  thraata.  Data  is  tha  rasoarca 
upon  which  tha  hazdwara/soft wars  coabinatioa  oparatas. 
Docaaantation  is  tha  sat  of  oparatiag  instraetioas.  Loss  or 
dagradatioa  of  aithat  or  both  of  thasa  assats  raadars  a 
systaa  asalass  or  eo aatar product iwa.  Soaa  gaaaral  docusaa- 
tatioa  aad  data  wulaaxabilitias  ara: 

•  Bodification  suscaptibility 

•  dastructioa  susceptibility 


Tha  coBBunicatioBs  aspects  of  a  giwaa  systaa  can  ba 
as  ccapllcatad  as  a  aulti*nodad  distributed  systaa  linked  by 
eicrowave  and  satellite  relay  or  as  sinple  as  a  quarter  inch 
cable  leading  to  off-line  storage  in  the  next  rooB.  Partial 
or  ccaplata  loss  of  cob aunicat ions  between  systen  nodes  or 
coapenents  can  result  in  a  spectrua  of  pro  bless  ranging  froB 
coaplete  systea  collapse,  to  the  failure  of  a  particular 
applications  package.  Sobs  vulnerabilities  of  coBBunications 
assets  are: 

•  subceptability  to  interception 

•  subceptability  to  janaing  or  blocking 

•  hardware/software  dependent 

Although  the  reliability  of  coaputer  hardware  has 
increased  in  recent  years,  tha  technological  precision  of 
nany  hardware  coapenents  has  also  increased  thereby  naking 
environaental  assets  such  as  air  conditioning,  huaidity 
control,  and  power  sources  essential  to  systea  availability. 
Environiental  degradation  can  cause  systea  collapse  or 
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simply  males  ths  arms  ancomfartabls  mock 
sak  points  arm: 

dssign  rsliability 
support  dspsndsney 
adsqmacy 

opsratoc  dspsndsney 
6.  SliBBSIt 


in.  Camironmsntal 


Support  is  the  moed  that  dsscribss  all  thoss  actimi- 
ties  not  part  of  ths  information  procsssing  systsm  itsslf# 
but  mithout  mhich  ths  systsm  could  not  function.  Szamplss  of 
support  actimitiss  rangs  from  ths  Stanly^  unlntsrruptsd 
delimsry  of  continuous  form  pnpsr  to  ths  stsady,  unintsr- 
ruptsd  dslimsry  of  slsctricnl  pomsr.  Intsrruption  of 
support  can  disrupt  an  information  systsm  by  varying  dsgrsss 
and  ths  offsets  of  such  a  disruption  dspsnds  upon  ths  sffsc> 
tivsnsss  of  contingsney  planning. 

B.  LOSS  OF  STSYBB  ZITB6BZTT 

Ths  most  common  application  of  ths  turn  "systsm 
integrity"  is  to  the  data  on  which  a  system  operates,  k 
useful  definition  of  data  integrity  is 


y. 

i 
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the  state  existing  when  data  agrees  with  the  source  from 
which  it  is  derived,  and  when  it  has  net  been  either 
accidentally  or  maliciously  altered,  disclosed,  or 
destroyed  fmsf.  3:  p. 

This  aspect  of  computer  security  is  perhaps  the  most  diffi¬ 
cult  to  guard  against  because  it  is  usually  the  most 
difficult  to  detect.  An  inadvertent  or  aalicious  degradation 
in  data  intsgity  can  have  varying  results  ranging  from  the 
taking  of  action  based  on  incorrect  inforiation  to  the  crash 
of  the  entire  system.  In  most  cases,  ths  discovery  of  the 
lack  of  data  integrity  is  after  the  fact.  Some  generic 
types  of  data  integrity  vulnerabilities  ace: 
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aeeidwtal  dr  ■alieiotts  aatry  arrprs 
aopiAaatal  or  aalieloaa  proeoaai&g  altaratloas 


C.  109S  or  COirZDBITmZTT 

Loss  of  eoafidsBtlality  probably  dassribss  tbs  thought 
that  COSOS  iasodiatoly  to  aind  vho&ovar  tho  topic  of 
coaputor  socurity  is  aantionsd.  It  is  potantially  tho  aost 
sarioos  rosult  of  an  insocuco  systaa.  Padaral  Znforaation 
Procossing  Standards  (FIPS)  *41  dofinos  confidontiality  as 


a  c 
acco 
thor 


loncfpt  which  acplios  to.  data.  It  is  th 
nod  to  data  which  roqairos  protection  f 
izod  disclosure. 


is  the  status 
on  from  unau- 


This  definition,  although  useful,  is  perhaps  a  bit  narrow. 
Substituting  the  word  "inforaat ion"  for  the  word  "data"  in 
the  definition  broadens  the  definition  appreciably  and 
points  to  an  iaportant  theoretical  concept.  Inforaation  is 
the  result  of  data  processing  or  aanipulation.  Data  itself 
is  analogous  to  the  words  in  a  dictionary.  Each  word 
contains  a  value  or  aeaning  but  when  coabined  with  other 
words  in  a  process  called  language,  the  sua  of  the  words 
conveys  a  concept  or  idea.  Data  is  aerely  the  ccngloaeration 
of  unassociated  fields  (words).  The  problaa  of  data  security 
therefore,  transends  the  collection  of  data  fields  and 
extends  to  the  process  through  which  those  fields  are 
processed  into  inforaation.  In  this  thesis,  the  treataent  of 
the  security  problea  is  restricted  to  data  and  its  proces¬ 
sing,  but  the  reader  should  be  aware  that  inforaation 
security  is  a  auch  larger  concept  that  only  begins  at  the 
point  of  processing.  The  losses  suffered  from  a  lack  of 
confidentiality  are  usually  evaluated  first  in  a  typical 
risk  aanageaent  scenario  because  those  safeguards  put  in 


pl«e«  to  prettet  syat*!  oMfllntiftlity  ■•ny  tlMS  soIyp 
problwH  in  tk«  otjMr  loss  cttftjorits*  Soe«  f«ii«ral  threats 
to  coBfidoatiality  are: 

•  aceidaatal  or  intaatioaal  latarcoptioB 

•  uaaothorisad  accasa 


D.  OIPZIITIOI 

The  above  dieeaaslon  of  loss  cattgories  and  their 
sQbseta  is  presented  to  iai^as  the  readac  vith  the  scope  of 
the  coapater  secaity  problee.  Vith  the  iaeense  proportions 
of  that  problea  in  aind,  the  folloving  definition  of 
coepnter  secnity  is  offered: 


Coeputer  seearity  is  the  protection  of  coepating 
assets  or  resoerces  aad  coapater  based  systeas 
against  acddeatal  and  delibe'rate  threats  vhose 
ocearrance  nay  cease  losses  dae  to  those  systeas* 
non-availability,  lack  of  integrity,  or  lack  of 
confidentiality. 

[Bef.  2:  p.  71 
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XXX.  II  uuxau  QZ  IKIttlX  UlS  UB  UfilUZIfilS 

Th«  a««d  for  coapator  msarity  was  not  of  priaary 
concarn  to  coapatar  syataas  aan agars  daring  tha  accalaratad 
growth  of  tha  coapatar  indoatry  in  tha  1970 's.  Hanagars  of 
inforaatlon  systaas  wara  aoch  too  basy  iaaling  with  grant 
technological  leaps  in  tha  hardware  and  software  offerings 
of  aajor  wandors.  Tha  efforts  to  aaintain  security  were 
largely  ineffactiwa  because  of  the  lack  of  aanagaaent 
support  and  because  of  tha  predoainantly  after-the-fact 
design  of  security  safeguards  -  the  "bolt  on"  security 
systaas  aantioned  earlier.  Dua  to  articles  such  as  that  of 
Allen  [Baf.  1:  pp.52-  62]  and  Moffett  PP*  124-126] 

and  cthar  preceding  authors,  the  public  soon  becaae  aware  of 
the  potential  and  actual  aisuse  of  data  and  inforaation 
systeas.  Articles  concerning  the  aisadwentures  of  unsu¬ 
specting  citzens  and  their  battles  with  credit  agencies, 
banks,  and  billing  and  collecting  firas  were  not  uncoaaon  in 
the  aedia.  finally,  due  to  public  pressure  on  legislators 
for  protection  against  the  invasion  of  privacy  and  for  a 
legal  aethod  of  correcting  incorrect  or  incoaplete  personal 
data,  two  aajor  laws  were  ratified  by  the  Congress.  This 
legislation  had  the  ultiaate  effect  of  aaking  computer 
systeas  managers  more  aware  of  the  need  for  data  privacy  and 
data  integrity.  The  history  behind  other  laws,  regulations, 
and  directives  is  not  quite  as  colorful,  but  the  fact  that 
they  exist  in  large  quantities  is,  no  doubt,  a  commentary  on 
;he  vulnerability  of  computer  files  and  data  to  mistreat¬ 
ment,  broad  access,  and  disclosure.  The  following  sections 
of  this  chapter  contain  a  brief  analysis  of  the  regulations 
and  laws  that  affect  the  computer  systems  managers  of  the 
federal  governaent.  The  discussion  is  arranged  in  two 


cat€9ori«s.  Th«  first  category  daals  with  ragalatlons 
affactiag  organizations  within  ths  fsdsral  govarnssnt;  ths 
sacond  catogory  is  a  gensralizsd  traatssnt  of  agoncy- 
specific  directiwes. 

h.  fHB  PBXthCI  &CT  km  OTBBB  LBGISLITZOI 

.  1*  Xkfi  SliliSl  IS&.  2l  1224 

The  Privacy  Act  of  197  4  ia  poses  nnaerons  require- 
Bents  upon  federal  agencies  to  prevent  the  aisuse  or 
coaproaise  of  data  containing  personal  inforaation.  Federal 
aatoaatic  data  processing  (AOP)  organizations  which  process 
personal  data  aust  provide  a  reasonable  dagree  of  protection 
against  unauthorized  disclosure,  destruction,  or  aodifica- 
tion  of  personal  data,  whether  intentionally  caused  or 
resulting  froa  accident  or  carelessness.  These  requireaents 
deaand  the  application  of  aanagerial,  adainistrative,  and 
technical  procedures.  FIPS  *41  addresses  the  requireaents 
and  the  corresponding  safeguards  used  to  iapleaent  the 
provisions  of  the  Act.  Table  II  lists  those  iteas. 

Two  desirable  by-products  of  the  Privacy  Act  are  the 
proBOtion  of  risk  analysis  and  the  elimination  of  unneces¬ 
sary  data,  a  procedure  undertaken  to  narrow  the  range  of  the 
safeguards  used.  Both  of  these  side  effects  aided  in  the 
developaent  of  more  secure  systems:  the  risk  management 

promotion  in  refining  the  techniques  of  a  little  used  proce¬ 
dure,  and  the  purging  of  files  in  creating  more  concise, 
manageable  data  bases. 

2.  iiLfi  Eiaalai  2I  lafazaafcian  isl 

The  Freedom  of  Inforaation  Act  requires  federal 
agencies  to  publish  is  the  Federal  Register,  certain  infor¬ 
mation  related  to  personal  files.  This  information  must 
include  the  source  and  aethod  by  which  the  inforaation 


TMMIM  ZX 

PritmcT  let  tad  Sadagaarda 


RZQOZBEdBVTS 


SAFBOOAIOS 


Control  of  Disclosures 

Bntry  Controls 

Accounting  of  Disclosures 

Storage  Protection 

Access  to  Records 

Data  Bundling 

Disputed  Inforsation 

Inclusion 

Use  of  Relevant  Data  for 
Authorized  Purposes 

Accurate,  Couplet e  Records 

Record  Haintenance 

Data  Processing 
Practices 

Responsibility 

Assignsent 

Insurance  of  Integrity, 

Security  and  Confidentiality 

Record  Retention 

Auditing 

Data  Encryption 

Identification 

CRef.  3:  p.  81 

retained  by  those  agencies  can  be  obtaiaed.  Additionallyr 
the  Act  requires  that  a  general  discriptian  of  the  data,  the 
processes  that  act  upon  the  data,  and  the  results  of  those 
processes  be  available  through  the  channels  described  in  the 
Federal  Register.  The  Act  appears  to  be  loosely  worded  and 
has  aany  exceptions  thereby  diluting  soee  of  its  effective¬ 
ness.  Once  again,  however,  the  awareness  level  of  federal 
agency  Information  system  managers  to  sonputer  security  was 
raised.  The  Act  compels  the  manager  to  establish,  at  least, 
a  defensible  security  policy  and  a  set  of  corresponding 
procedures  for  the  protection  of  data. 


3*  Q£liSft  2l  ttlUaftlSAl  4fti  (2a&)  Sl££al&£  4:1££ 

OHB  Circalar  4»108  is  the  ispleeentation  of  the 
Privecy  ict  of  1974.  It,  along  vlth  tha  gaidelles  of  FIPS 
•41,  put  teeth  into  the  Privacy  Act  by  explaining,  point  by 
point  and  in  specific  terms,  the  adsinistrative  procedures 
to  be  followed  and  the  policies  to  be  established  by  all 
federal  agencies.  Although  coeputer  files  are  not  addressed 
in  A-108,  and  therefore  ao  technical  procedures  for 
protecting  coaputer  files,  the  underlying  effect  of  the 
circular  is  to  reinforce  top  BanageBeat*3  support  of  data 
security. 

4.  R&anl^iSUSt  £4£L  i  o£  Ullt  11 

This  regulation  deals  with  the  standardization  of 
data  ele Bents  and  representations.  Although  only  peripheri** 
ally  associated  with  security,  it  is  inoluded  here  for  two 
reasons.  First,  it  illustrates  the  initial  efforts  of  the 
federal  governaent  to  establish  a  huge  distributed  system  of 
data  bases  that  could  extend  the  capability  of  agency-to- 
agency  data  exchange.  Secondly,  while  the  concept  of  of 
standardization  is  a  sound  a2uiagerial  technique  for 
proacting  efficiency,  it  simplifies  the  potential  penetra- 
tor's  task  by  not  only  aiding  the  standardization  of  his 
efforts,  but  also,  increasing  the  number  of  potential  entry 
points  where  he  night  access  the  information. 

B.  A6EHCT  SPECIFIC  BBGULATIOifS  AID  DIBBCTIVES 

Most  of  the  material  in  this  category  belongs  to  one  of 
two  sub* categories. 

The  first  subset  includes  agency  procedures  for  handling 
classified  infornatio t.  Usually,  only  brief  mention  of  clas¬ 
sified  conpuner  files  is  made  in  this  type  directive.  Some 
physical  security  procedures  are  directed  but  no  technical 
information  is  included. 


th9  rang*  of  spocific  aocurity  aspoets  eovarad  la  thaaa 
diractiaas  is  ganarally  good#  bat  dicactions  as  to  tiia  tach- 
nlcal  isplasaatation  of  policiss  within  a  spacific  facility 
is  not.  Tha  absMca  of  taehnisal  eroeadacas  facilitatas  tha 
di varsity  of  hardwara  and  softwara  throaghoat  tha  agancy. 
It  also  allows  sabjactiwa  jadgasants  to  ba  aada  at  tha 
installation  lawal  as  to  throat  assassaant  and  appropriata 
safagaards.  Tha  potantial  azists,  at  tha  Installation  laval, 
for  tha  sabjectiaa  jadgasants  of  aanagaaant  parsonnal  to  ba 
inflaancad  by  tha  opaiational  workload,  the  Banning  lavel, 
and  tha  tachnoloqy  lewal  of  tha  installation  hardwara  and 
softwara.  That  baing  tha  casa,  tha  straagths  of  individual 
prograas  nay  vary  significantly.  Ezaaplas  of  such  diractivas 
are  contained  in  DODD  5200.28,  OPEkV  5239.  1  (Navy),  and  HCO 
P55  10.14  (Harine  Corps)  . 

Tha  second  category  of  agency  specific  directives  are 
locally  developed  security  plans  applisable  only  to  the 
individual  activity.  These  docuaents  should  be,  and  for  tha 
nost  part  are,  the  affbodiaent  of  all  higher  directives  and 
tailored  to  the  local  environaeut.  Again,  considerable  flex¬ 
ibility  is  allowed.  Security  plans  offer  a  wide  variance  in 
coverage.  What  is  aore,  the  anforceaent  of  local  security 
plans  also  varies  widely. 


v.v 
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Coaputtr  s«enrit7  is  initially  cansarned  with  dater- 
lining  and  inplaaenting  costae ff active  count araaasuras  to 
make  a  system  secure  against  the  many  threats  which  can 

occur.  It  is  conc^ned^  therefore,  with  reducing  the 

frequency  with  which  any  threat  is  expected  to  occur  and/or 
reducing  the  impact  of  the  threats  upon  the  correct  func¬ 
tioning  of  the  system.  Secondly,  it  is  concerned  with  what 
has  to  be  done  when  the  normal  mode  of  operation  is 

disrupted.  It  is  concerned  with  contingency  planning,  that 
is,  the  preparation  and  execution  of  a  standby  node  of  oper¬ 
ation  and  with  the  preparation  and  execution  of  recovery 
plans.  The  third  concern  of  computer  security  is  the 

auditing  of  the  system  in  both  the  normal  and  standby  modes 
of  operation  [Bef.  2:  p.  21* 

Bisk  management  is  the  name  given  to  the  process  *  7 
which  all  three  of  the  above  concerns  are  dealt  with  and  Ivs 
objective  is  to  protect  the  system  from  losses  resulting 
from  these  concerns.  Its  organization  is  variable,  that  is, 
task  organized  to  the  specific  need,  but  the  major  methodol¬ 
ogies  employed  are  basic.  They  are 

•  threat  identification 

•  threat  impact  measurement 

•  countermeasure  identification  and  measurement 

•  countermeasure  selection 

•  implementation  and  monitoring  of  safeguard  effect 
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Ther«  are  several  9 cod  references  on  the  topic  of  risk 
sanagesent  •  (see  bibliography)  and  since  this  thesis  deals 
with  the  subject  as  a  subset  of  cosputar  security,  only  a 
cursory  look  will  be  taken  at  sose  of  the  procedures  it 
es  ploys. 

Risk  sanagesent  is  essentially  conceroed  with  developing 
and  saint aining  a  cost-effective  security  progras.  The 
optisal  point  at  which  the  esploying  organization  should 
operate  is  as  illustrated  in  Figure  4.1  The  downward  sloping 
curve  (curve  A)  illustrates  tha  effect  on  losses  as  counter- 
sea  sores  are  applied.  The  upward  sloping  curve  (curve  B)  is 
the  cost  of  the  counterseasures  as  they  are  successively 
applied.  The  0-shaped  curve  (curve  C)  above  the  intersecting 
lines  is  the  total  of  both  tha  cost  of  losses  and  the  cost 
of  counterseasures.  The  optisus  operating  position  is,  quite 
obviously,  the  lowest  point  (point  0)  on  the  U-shaped,  or 
total  cost,  curve.  The  distance  between  the  Z-axis  and  the 
low  point  on  the  total  cost  curve  is  the  total  nusber  of 
dollars  spent  on  counterseasures  plus  the  total  nusber  of 
dollars  lost  due  to  security  breaches  when  operating  at  the 
the  optimal  level.  The  total  number  of  dollars  is  read  on 
the  y-axis  at  the  point  (point  ?)  horizontal  to  and  left  of 
the  low  point.  The  level  of  protection  is  represented  by  the 
length  of  lire  (E)  and  read  on  the  x-axis  at  point  (Q)  .  The 
total  number  of  dollars  expended  in  either  of  the  two  ways 
is  affected,  of  course,  by  the  effectiveness  of  the  counter¬ 
measures  employed.  One  of  the  most  effective  countermeasures 
is  the  reduction  of  the  number  of  personnel  authorized 
access  and  the  reduction  of  the  number  of  access  points. 
Successive  reductions  in  either  the  authorized  personnel  or 
the  access  points  certainly  will  solve  the  security  problem, 
but  it  also  reduces  the  availability  of  information  to  the 
organization  which,  in  turn,  decreases  the  organization's 
ability  to  function  properly.  Phis  also  causes  a  loss.  Some 
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■iddl«  ground  uust  be  found  and  that  is  point  (0)  in  the 
figure.  The  underlying  point  to  all  this  is  that  it  is  the 
risk  sanager's  job  to  reduce  the  threat  of  security  in  the 
■ost  cost  effective  way  while  saintaining  the  level  of 
infornation  availability.  Sous  other  intacesting  points  are 
illustrated  in  Figure  4.1  .  Bote  that  the  total  cost  curve 
(C)  appears  to  approach  the  vertical  asyatotically  on  the 
right.  The  father  projection  of  this  line  sight  reveal  that 
it,  in  fact,  doubles  back  to  the  left  at  sose  point.  This 
graphically  represents  the  fact  that  at  sose  point,  far  to 
the  right  of  the  optiaal  operating  point,  the  successive 
application  of  counterseasure  upon  counterseasure  will 
becose  counterproductive.  Bote  also  that  the  curve  repre** 
senting  counterseasure  expenditures  (B)  never  quite  reaches 
the  one  hundred  per  cent  protection  vertical  fros  the 
x-axis.  Another  point  to  note  is  that  there  resains  a 
vertical  distance  between  the  x-axis  and  the  loss  curve. 
This  says  that  the  losses  are  never  cut  to  zero. 

Although  risk  sanagesent  Involves  the  countering  of 
secuity  threats  in  three  aspects,  only  cost-effectiveness 
detersination  will  be  discussed  in  this  chapter.  The  aspects 
of  contingency  planning  and  auditing  will  be  treated  in 
chapter  six. 

B.  COST  EFFEGTIVEBES S  DETEBHIBATIOB 

As  discussed  before,  the  third  part  of  risk  analysis  is 
the  analysis  and  application  of  cost  effective  countermea¬ 
sures.  This  process  has  essentially  three  distinct  steps 
(threat  assessment,  countermeasure  assessment,  countermea¬ 
sure  selection)  which  are  discussed  below. 


‘I*  Thr«at  iagasgaant 

Threat  assassaant  is  caaposad  of  thraa  coapoaants. 
Tha  first  coaponaat  is  tha  idantif ication  of  tha  thraats 
applicabla  to  tha  systaa  in  question.  Tha  list  of  threats 
will  certainly  be  different  for  each  indisidual  systaa  but 
they  are  all  datamicad  in  a,  aore  or  lass,  subjective 
aannar.  Dacoaposing  threats  into  threat  categories  is  tha 
first  step.  A  aanager  aay  wish  to  use  a  dacoaposition 
siailar  to  that  of  Figure  4.2  or  he  aay  use  a  checKlist  such 
as  was  used  to  deteraine  the  threat  categories  in  Chapter  7. 
In  either  case,  the  final  dacoaposition  of  tha  threat  is 
usually  done  by  the  checklist  aethod.  Harine  corps  Order 
P5510.14  and  OPNAVINST  5239.1  contain  ezaaples  of 
checklists. 

The  second  coaponent  of  threat  assessaent  is  the 

0 

deteraination  of  threat  occurrence  frequency.  This  inforaa> 
tion  can  be  obtained  through  the  use  of  the  organization's 
historical  data  or  can  be  derived  froa  the  study  of  other 
siailar  organizations.  tluch  effort  should  be  expended  to 
deteraine  frequency  as  accurately  as  possible  for  it  will 
figure  significantly  into  the  cost  computations  of  counter¬ 
measures  as  will  be  demonstrated  later  in  the  process. 

The  next,  and  final,  step  in  threat  assessaent  is 
the  determination  of  total  exposure.  This  procedure  is  no 
more  than  the  multiplication  of  the  factors  determined  in 
the  first  two  components  using  the  following  formula; 

T  *  H1  X  Cl  ♦  H2  X  C2  ♦ . ♦  Hn  X  Cr. 


where  T  is  the  total  loss  (usually  expressed  in  terms  of 
dollars)  per  year.  It  is  the  expected  annual  loss  from  all 
threats  combined.  Nn  is  the  total  number  of  occurrences  of  a 
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sinql*  threat  axpeetad  annoally  and  Cn  is  the  asount  of  loss 
par  ooearrsnes.  The  prodact  of  sash  threat  and  it*s 
frequency  is  added  to  the  prodact  of  all  other  threats  and 
freqaeneies  thereby  yieldinq  T. 
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The  second  coiponent  of  cost  effectiveness  deterni- 
nation  is  the  assesssent  of  conn teraea sure s.  It  this  point, 
a  slight  digression  is  in  order.  Zounterseasare  accessaent 
involves  the  evaluation  of  the  effectiveness  of  various 
coanteraeasures  and  as  such  can  becoae  very  coaplicated  as 
the  nuaber  of  the  coanteraeasures  under  analysis  increases. 
The  task  of  the  aanager  can  be  siaplifiel  soaewhat  by  clas** 
sifyinq  coanteraeasures  by  the  aethod  used  to  handle 
threats.  Four  general  aethods  for  handling  threats  are 
coaaonly  used.  The  first  is  threat  avoidance.  Threat  avoi¬ 
dance  involves  isolating  the  coaponent(s)  vulnerable  to  the 
threat  and  eliainating  those  coaponent  (s) .  Since  aost  systea 
coaponents  are  vulnerable  to  soae  sort  of  threat,  if  this 
aethod  were  used  exclusively,  it  would  be  only  a  natter  of 
tiae  until  there  was  no  system.  The  second  aethod  of  threat 
handling  is  threat  retention.  Threat  retention  is  usually 
employed  when  T  «  Mn  X  Cn  is  small  for  a  particular  threat. 
A  threat  in  this  category  is  either  ignored  or  handled  in 
con-junction  with  the  third  threat  handling  procedure  - 
threat  transfer.  Threat  transfer  is  nothing  more  than  the 
utilization  of  soae  sort  of  insurance  to  offset  the  effects 
of  the  threat.  Threat  reduction,  the  fourth  threat  handling 
procedure,  is,  by  far,  the  aost  coaacn.  It  is  the  applica¬ 
tion  of  positve  steps  or  devices  designed  to  reduce  the 
number  of  threat  occurrences  and  the  effects  of  each  threat. 
Soae  examples  are  physical  access  control,  processing 
restrictions,  and  tempest  shielding. 
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Th«  B«xt  st«p  in  eoaiit«rnasttrt  assassaant  is  th« 
dataxalnation  of  affactivaaoss.  Foe  azaapla,  if  eoantaraaa> 
Sara  XTZ  radacaa  tha  fra^aasf  (D  of  a  ‘thraat  froa  tan 
incldants  to  ona  iacidaat  par  paar;  and  tha  loss  par  inci- 
dant  froa  $1,000  te  $850#  tha  affietlTanaas  of  tha 
coantaxaaaaara  can  ba  glaan  a  nnaarical  qaantifieation  as 
follcvs: 

■n*  X  Cb«  •  T* 

(Total  loss  par  occaranoa  with  coantaraaasara) 


then 


T*  «  $850  utilizing  cottntaraaasara  XTZ 
T  »  $10#000  without  counted  assure  XTZ 


therefore 


(T  -  T*)  /  T  «  ef  factiwanass 
substituting 

($10#000  -  $850)  /  $10,000  »  0.915 
This  says  that  countezaeasura  XTZ  is  91. 5X  affactiwe. 

3.  £aIS£ti2fl 

Ona  aethod  of  countacaaasure  salaction  is  presented 
below  by  the  continuation  of  tha  exaapla  above. 

Suppose  count eraeasure  XTZ  costs  $5,000  to  iapleaent 
and  has  a  failure  rate  of  8.55  (100X  -  91.5S).  Tha  total 

cost  of  using  the  aeasure  is  coaputad  as  follows: 


Tc  ■  T  ♦  Cf  -  T(1  -  P) 


Decoapositlon  of  the  Threat 


V.  St.'  ■Vw.'^T 


«  gtf ifti  ^>,.iC-fe .i-t,'mk  &-•  -'  i»*»  £-->  >\.y^  1%  . 


Tc  ••  total  cost 

T  »  Nn  Z  Cn  (as  cosputsd  abovs) 
Cf  *  cost  of  isplsaantatloa 


for  oar  sxaspls 

T  «  $10,000 
Cf  *  $5,000 
P  »  .085 


Tc  «  $10,000  ♦  $5,000  -  $10,  000(1  -  .385) 
•  $ia,000  ♦  $5,00  0  -  $9,150 
■  $5,850 


This  final  figure  is  the  total  loss  to  the  using  organiza¬ 
tion.  Total  losses  of  $10,300  were  sustained  prior  to 
counteraeasure  XIZ  eaploysent.  After  rounteraeasure  ZYZ 
enployaent,  total  losses  where  $5,850  ($5,000  of  which  were 
iopleaentation  expenses)  .  The  counteraeasure,  then  saves 
$4,150  ($10,000  -  $5,850)  the  first  year,  and  $9,150 

($10,000  -  850)  in  each  succeeding  year. 

The  siaple  exaaple  above  was  derived  froa  the  proce¬ 
dures  shown  in  PIPS  #31  [  Hef .  5:  pp.  12-13].  Note  that  the 
procedure  involves  the  use  of  only  one  counteraeasure.  Not 
only  are  several  aeasures  coapared,  in  most  cases,  but 
discounting  techniques  are  also  used.  This  is  but  one 
aethod  of  deteraining  cost  effective  counteraeasures.  Other 


•qually  valid  and  affactiva  taclmiqaaa  ara  aantlonad  in 
bibliographical  rafarancas. 


V-  fnnkf  kMktrsTs 


The  scope  of  cosputer  aecority#  as  discussed  ia  chapter 
2,  approaches  infinity.  The  topic's  large  size  is  a  direct 
result  of  the  large  nusber  of  potential  threats  to  the 
cosputer  systes.  Jlnoe  any  discussion  of  cosputer  security 
threats  sust  be  finite,  that  discussion  sust,  therefore,  be 
incosplete.  Hith  that  in  sind,  this  chapter  will  seek  to 
present  both  general  and  specific  threats  to  cosputer 
security  along  with  scse  of  their  effects. 

Pritchard  (lef.  2:  p.  19]  and  Carullo  and  Shelton 
[Bef.  6:  p.  52]  describe  warious  aethods  for  decosposing 
threats  into  classifications.  One  such  classification  is 
Illustrated  in  Figure  5.1  reprinted  here  for  convenience. 
Note  that  this  ezasple  could  be  aodified  by  the  addition  of 
"Hardware",  "Software",  and  "Personal"  under  "Deliberate  - 
Social".  Checklists  are  another  way  of  identifying  threats. 
Checklists  usually  reflect  the  needs  of  their  cosposers  and 
a  specific  cosputer  systes  and,  therefore,  are  not  usually 
cosplete.  k  checklist  cosposed  of  several  checklists  fros 
different  sources  say  prove  to  be  fairly  comprehensive.  This 
is  essentially  the  technique  used  in  the  construction  of  the 
following  list.  Four  main  references  [Ref.  5:  pp.  77-82], 
[Ref.  7:  pp.  3.9-9.15],  [Bef.  8],  and  [Bef.  9:  pp.  Si-650] 
were  used.  For  the  purposes  of  this  thesis,  threats  are 
organized  into  the  following  categories: 

•  physical  threats 

•  emanations 

•  hardware  threats 

•  software  threats 

•  personnel  threats 

•  procedural  threats 


Figure  5. 1  Decoeposition  of  the  Threat 


I.  PHISZCIL  THIBIfS 


Physical  threats  cose  i&  a  variety  of  foras  that  can  be 
decoaposed  into  two  aain  areas  •  controllable  and  uncontrol¬ 
lable.  Bzaaples  are: 

COHTBOLLIBIB 

•  physical  attack  (civil  disobedience,  ailitary  as¬ 
sault,  arson,  looting,  sabotage,  vandalisa) 

•  fire 

•  saoke,  dust,  and  dirt  intrusion 

•  bursting  water  pipes 

•  electroaagnetic  disturbanoa  (lightaning,  vacuua 

claaners,  floor  polishers) 

•  forcible  entry  and  theft 
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•  natural  catastrophe  (lighting,  wind,  tornado, 

earthquake,  flood) 

•  aircraft  crash 

•  bosb  threat 

•  support  non-availability 

Controllable  threats  are  those  threats  that  can  be 
prevented  from  occuricg  to  a  greater  degree  by  the  applica¬ 
tion  of  sufficient  safeguards.  Uncontrollable  threats  are 
those  that  cannot  be  prevented  but  whose  effect  can  be 
minisized  by  proper  procedures.  The  line  between  the  two 
classifications  is  net  well-defined  as  is  evident  by  the 
presence  of  the  same  threat  (lighting)  under  both  catego¬ 
ries.  The  line  becomes  clearer  when  specific  computer 
installations  are  addressed  along  with  the  resources  and  the 
location  of  that  installation.  Note  that  the  threat  does  not 
have  to  affect  the  computer  facility  directly.  Just  as  an 
effective  attack  is  the  application  of  physical  threats  to 
the  installation's  support. 


B.  comaitciTzoi 


The  technical  so^isticatinn  of  coaaanications  facili* 
ties  and  daTicas  is  a  growing  trend  in  to3ay*s  world.  Han  is 
able  to  coBsanicata  using  satellite  relay,  laser  technology, 
fiber  optic  Bechanisas,  and  Bicrowawe  transaissions.  When 
these  technologies  are  used  in  conjunction  with  coaputer 
systeas,  large  aaounts  of  data  can  be  transferred  ower  long 
distances  at  staggering  rates,  conventional  means  of  data 
transfer  are  also  used.  Telephone  lines  and  direct  line 
coaxial  cable  can  be  used  in  aany  cases.  There  ace  only 
three  main  types  of  threats  that  effset  coaaanications 
security  but  the  i  ipleaentation  of  these  three  differ 
significantly  froa  one  coaauai cations  aediua  to  the  next 
thereby  allowing  for  a  great  aany  permutations  and  coabina*' 
tions  of  threats.  The  main  threats  are: 

•  eavesdropping 

•  interception 

•  denial  or  destruction 

Eavesdropping  involves  siphoning  off  information  from  a 
communication  without  detection.  Interception  is  the  inter¬ 
ruption  of  a  communication  from  its  flow  towards  its 
intended  destination  and  the  redirection  of  that  flow  to  an 
unintended  destination.  Denial/destruction  is  exactly  what 
it  says;  the  interuption  of  communications  by  such  methods 
as  jamming  and  destruction  of  communication  equipment. 

There  is  one  other  threat  that  can  be  logically  listed 
here  or  under  several  other  categories.  This  threat  involves 
the  browsing,  interrogation,  destruction,  or  alteration  of 
information  contained  in  a  computer  file  through  the  use  of 


external  coBBunication.  This  method  works  in  reverse  o£  the 
threats  listed  above.  A  recent  exanple  involved  a  ring  of 
teenagers  who  owned  personal  computers  and  who  were  able  to 
break  in  to  the  data  banks  of  several  large  commercial 
institutions. 

C.  ZHAIATIOIS 

Eaanations  are  the  by-product  of  coiputing  devices  as 
they  coBBunicate  with  their  peripherals  (especially  cathode 
ray  tubes)  .  The  product  of  this  coBBunication  is  electroaag- 
netic  energy  containing  the  the  essence  of  the 
communication.  This  electromagnetic  energy  can  be  read  by 
complicated  but  common  devices.  The  range  of  most  of  these 
devices  is  restricted  to  a  few  hundred  yards^  at  best,  but 
the  technique  is  very  successful  in  the  absence  of  specifi¬ 
cally  designed  safeguards.  Since  this  threat  is  relatively 
expensive  for  the  penetrator  to  employ,  the  probability  of 
this  threat  occurring  is  usually  proportional  to  the  sensi¬ 
tivity  or  classification  of  the  information  on  file  at  the 
specific  activity.  The  probability  of  an  emanation  threat  to 
a  local  grocery  store's  inventory  file,  for  example,  is 
extremely  remote. 

0.  HABDWiRE 

Hardware  threats  are  those  threats  that  normally  affect 
the  integrity  of  the  computer  or  its  srored  data.  The  chief 
hardware  threat  involves  the  physical  manner  in  which  data 
is  manipulated  wi.hin  the  machine.  The  instruction  set  of  a 
given  machine  is  the  set  of  commands  that  the  machine  is 
designed  to  understand.  These  instructions  manipulate  the 
machine's  inner  workings  at  various  levels.  If  there  is  no 
provision  as  to  the  accessibility  of  these  instructions 
among  the  various  operations  layers,  an  inadvertent 
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■alicioas  p«n«tration  of  all  lavals  may  osear.  Tha  potantial 
effacts  ara: 

•  tha  dastraction/altaratioQ  of  lata 

•  the  alteration  of  the  operating  systea 

•  the  absence  of  predictable  nnipnlations 

The  unreliability  of  a  coaputer  aanipulation  is  the 
chief  threat  to  coaputer  security.  The  changing  of  an 
instruction  set  or  the  absence  of  design  features  that 
ensure  reliability  is  the  threat's  physical  aanifestation. 
Hardware  security  is  sore  appropriately  addressed  in  the 
next  chapter  (Counter aea sores)  because  it  addresses  soae  of 
the  ways  reliability  is  aided. 

E.  son  WARE 

Software  threats  coae  in  two  categories  -  lack  of  reli¬ 
ability  and  subversion.  The  reliability  threat  is  as 
applicable  to  software  as  it  is  to  hardware  but  the  differ¬ 
ence  is  that  one  is  a  physical  concept  and  the  other  is  a 
procedural  concept.  The  software  threat  is  more  coaplicated 
than  that  of  hardware  because  software  is  arranged  in  many 
layers  (operating  system,  utilities,  applications)  whereas 
hardware  is  only  one  layer.  This  layering  of  software  not 
only  increases  the  area  of  vulnerability,  it  complicates  the 
protection  requirements. 

Software  subversion  is  another  type  of  software  threat 
that  is  much  akin  to  software  reliability  but  differs  in 
that  it  is  a  deliberate  rather  than  accidental  threat.  There 
are  two  main  types  of  software  subversion.  One  type  is 
called  a  TROJAN  HORSE.  A  trojan  horse  is  a  bit  of  code  that 
is  inserted  into  one  of  the  levels  of  the  software  and  is 
designed  to  provide  an  entry  port  for  a  penetrator.  It  can 


be  saaioned  only  through  a  pre-defined  code  that  is  designed 
so  that  the  portal  is  not  vulnerable  to  accidental 
discovery.  It  is  an  active  threat  ,  that  is,  it  requires  the 
penetrator  to  actively  engage  it.  Another  type  of  subversion 
is  called  the  TRAP  DOOR.  A  trap  door  is  code  that  is 
inserted  such  like  a  trojan  horse.  The  difference  between 
the  two  is  that  a  trap  door  requires  no  assistance  froa  the 
penetrator  other  than  its  initial  insertion.  The  prograa 
runs  automatically  whoi  a  target  set  of  parameters  is  net. 
An  example  is  the  insertion  of  a  trap  door  into  an  aplica- 
tions  package  that  processes  classified  data.  The  trap  door 
activates  itself  through  the  use  of  the  package  and  perhaps 
routes  a  second  copy  of  a  resulting  classified  report  to  a 
printer  in  another  location.  The  penetrator  could  either 
pick  up  the  report  himself  at  the  other  location  or  he  nay 
allow  the  report  to  be  delivered  to  him  via  the  inter-office 
delivery  system. 

Software  threats,  although  categorized  into  two  general 
components,  take  on  many  disguises  and  are  capable  of 
causing  losses  in  an  infinite  number  of  ways.  The  following 
chapter  will  deal  with  software  threat  countermeasures  and 
may  illuminate  the  topic  appreciably. 

F.  PERSOHHEL 

Personnel  threats  in  the  computer  environment  are 
perhaps  the  bottom  line  in  a  study  of  computer  security.  All 
three  categories  of  loss  (availability,  integrity,  and 
confidentiality)  are  affected  by  the  inadvertent  or 
purposeful  actions  of  humans.  The  form  of  the  human  threat 
can  range  from  the  simple  absence  of  a  key  person  at  a 
computer  facility  to  the  covert  activities  of  an  undercover 
penetrator.  The  predominant  personnel  threat,  of  course,  is 
the  proclivity  of  the  human  to  make  errors. 


A  stady  condactvd  by  Siaon»ttl»  Sass,  and  Honoky  of  tha 
dnlvarsity  of  Tolado,  [Baf.  10:  p.  20*1  vas  daslgnad  to 
dataralna  vhat  changas  had  baan  aada  in  coapntar  sacacity 
systaaa  daring  tha  tan  yaars  prior  tn  tha  study.  Tha 
corralation  batvaan  tha*  naabac  of  changas  aada  and  tha 
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TABLB  III 

Changes  Hada  in  Security  Systaus 

OSGAHIZATION  CHANGES  HADE  I  PEBCENT  OF  OfiGAHIZAIIONS 

1  SaRVETED  BAKING  CHANGES 

In  human  error  control 

190X 

In  physical  access  to 
computer 

32X 

In  personnel  screening 

52X 

In  computer  terminal 
access 

52X 

In  warning  systems  for 
attempted  false  entry 

31X 

In  new  program  testing 

aspect  of  computer  security  that  required  changing  due  to 
inadequacy  of  previous  safeguards  vas  assumed  to  be  high. 
The  results  of  that  study  is  presented  in  Table  III  above. 

The  inference  is  that  human  interaction  with  the 
computer  and  its  infcrmation  is  the  threat  most  recognized 
by  security  system  managers.  The  study  cites  another  inter¬ 
esting  statistic.  Of  all  computer  frauds  committed  and 
subsequently  discovered,  58X  ware  the  work  of  ADP  employees. 


6.  SlOCSOOBil 


Procedural  threats  are  those  that  relate  to  the  aaaage-" 
sent  function  of  control  and  affect  the  worhflov  process. 
Procedural  threats  are  those  that  act  upon  those  workflow 
points  were  control  is  passed  from  one  function »  elesent^  or 
indiwidual  to  another.  Procedural  threats  can  be  accidental 
or  aalieious  in  nature  and  can  be  aore  accurately  described 
in  terns  of  safeguards  designed  to  to  counteract  then. 


▼I.  ssmmns^iu 


Although  the  threats  to  the  secarity  of  a  coapater 
systea  are  naaeroos,  there  also  exists  an  abundance  of 
devices  and  procedures  by  which  each  can  be  countered*  Xn 
order  to  intelligently  eaploy  an  effective  risk  aanageaent 
prograa,  the  the  aanager  aust  be  aware  of  the  counter aea sure 
options  he  has  available  to  hia.  The  following  paragraphs 
contain  soae  of  the  considerations  that  aust  be  aade  when 
choosing  appropriate  protection.  Provide!  also  is  a  listing 
of  various  aethods  used  to  coaba  t  specific  threats. 

A.  PHYSICAL  SKORITT 

Physical  counter a easures  are  eaploye!  to  ainiaize  the 
effects  of  dangers  to  the  tangible  assets  of  a  coaputer 
systea.  Host  of  these  aethods  use  coaaon  sense  and  are 
directed  at  one  specific  aspect  of  physical  security.  The 
external  and  internal  environaent  of  a  coaputer  center  are 
most  iaportant  to  physical  security  and  depend  upon  soae  of 
-che  following  considerations: 


•  physical  location 

•  availability  of  fire  and  law  enforceaent  services 

•  availability  of  aedical  facilities 

•  construction  aaterials 

•  physical  access  routes 


It  is  difficult  to  present  a  list  of  specific  counter¬ 
measures  without  knowing  the  particular  needs  and  operating 
constraints  of  a  given  systea,  however,  it  is  possible  to 


45 


•stablish  standards  that  golds  ths  aaaagsx  of  coapotsr 
asssts.  Ths  folloving  list  of  standards  applf  socs  or  Isss 
to  all  facilitlss. 

1.  Ths  stroetoral  soondnsss  of  buildings  housing 
cosputsr  squipnsnt  should  bs  adsquats  to:  support  ths 
wsight  of  cospoting  sachinsrY:  acsosodats  slactrical 
sabling  and  firs  sztingaishing  systsss;  ainislzs  ths 
offsets  of  wind,  prscipitation,  an!  lightsning;  vith- 
stand,  in  sobs  casss,  ths  sffsets  sf  ozplosions. 

2.  Ths  OBployasnt  of  physical  aesass  controls  to 
cosputsr  squipaent,  taps  filss,  sastsr  docunsntation, 
■astsr  softvars  copiss,  and  snsironssntal  support 
(air  conditioning,  husidity  control  equipiont,  sloe- 
trical  povsr  acurcss)  should  bs  sstablishsd.  (Thsss 
stops  ars  applicabls  to  rsnots  tsrainal  locations  as 
well.) 

SOBS  of  ths  Bore  cosBon  iaplsBentations  of  ths  above 
standards  ars: 

•  The  nuabsr  of  windows  and  doors  or  other  physical  entry 
paths  should  be  ninioized  consistent  with  local  fire  regula¬ 
tions. 

«  Chain  link  fences  should  be  used  where  the  classifica¬ 
tion  of  the  inforiaticn  within  dictates, 

•  The  use  of  cipher  locks,  second  access  doors,  holding 
areas,  guards,  and  closed  circuit  T7  can  be  employed  where 
feasible. 

•  Exterior  lightin g  should  bs  employed  where  appropriate. 

•  Posit ve  key  control  should  always  be  aaintained. 


•  Idsntification  badgas  oc  othar  such  davlcas  ara 
soatlaas  osaful. 

a 

•  datoaatic  fira  varningf  datactlon,  and  artinguialiing 
systaas  with  optional  axtingniahar  dalay  to  protact  against 
inadvartant  acti ration  aay  ba  aaployad.  Sapplaaantal  daricas 
sacb  as  snoka  raaoral  systaas*  air  filtration  systaas,  and 
plastic  sbaating  nsad  to  eorac  aqnipaant  in  tha  arant  of 
fira  axtinguishar  actiration  ara  also  asafnl. 

•  Unintaraptabla  povar  supplias,  povar  surga  insulators 
and  appropriata  povar  soucca  svitcbing  davicas  can  ba 
installed. 

•  Air  conditioning  .  and  huaidity  control  davicas  are 
noraally  a  necessity  in  large  installations. 

•  Anti-static  carpeting  and  controlled  use  of  electroaag- 
netic  notors  (floor  buffers,  vacuua  cleaners)  protect 
against  the  destruction  of  tape  and  disk  files. 

•  Depending  on  the  severity  of  the  threat,  those  aechan- 
isBS  considered  critical  to  operations  (air  conditioning, 
huaidity  controls,  fire  detection  and  extinguishing  systems) 
can  be  installed  redundantly. 

•  The  training  of  personnel  is  an  iiportant  aspect  of 
physical  security.  Fire  drills,  bomb  threat  drills,  security 
compromise  drills,  and  recovery  drills  should  be  conducted 
regularly. 


B.  BBBSOIIBL  SBCOIZTT 


F«rsonn«l  sacarlty  is,  perhaps,  the  aoat  dlfficalt 
aspact  of  a&  affacti^  coastacaaasttra  pcograa  to  aaintaln 
bacaosa  it  raqairas  tha  graataat  aaoant  of  sabjactiva 
jadqaaaat  froa  tha  aanagar.  Vhlla  no  pacsonaal  pcograa  is 
oaa  hand  rad  paccant  affactiva*  thaca  aca  savaral  basic  staps 
that  aida  raliability  and  aca  eoaaonly  found  in  snccassfal 
progcaas. 

1.  Scraenina 

Tha  coaplaxity  of  a  ssraaning  pcograa  dapaads,  in 
larga  part,  upon  tha  coaposition  of  the  popalation  froa 
which  the  selection  is  to  aade  and  apon  the  potential  losses 
that  could  result  froa  incorrect  selection.  Vhenewer 
possible,  a  thorough  screening  of  aelical,  eaployaent 
history,  scholastic,  and  psychiatric  records  should  be 
accoaplished  and  disqualifying  criteria  established. 
Personnel  interviews  and  testing  are  also  valuable  tools 
during  this  phase  of  a  surety  pcograa.  In  exceptional  cases, 
a  coaplece  background  investigations  can  be  obtained. 

Establishing  selection  oriteria  is  probably  the  aost 
subiective  part  of  a  personnel  security  pcograa.  If  feas¬ 
ible,  aide  can  be  sought  froa  professionals  (psychiatrists, 
physicians,  etc.)  but  the  aanager  ultiaately  aust  make  the 
final  decision  as  to  what  criteria  are  to  be  used. 

The  selection  of  individuals  for  various  positions 
begins  the  aaintenance  portion  of  the  pcograa.  Maintenance 
prograas  include  activities  such  as  periodic  training, 
briefing,  and  perforaance  evaluations.  Evaluation  nechniaues 


abound  but  the  eost  frequently  used  is  day*to«day  obsersa* 
tion  of  an  individuals  habits,  attitudas,  physical  appear¬ 
ance,  and,  if  possible,  after  hours  activities. 

4. 

Debriefing  is  an  aide  that  helps  preserve  a  given 
security  posture.  The  classical  debriefing  includes 
relieving  the  individual  of  classified  and  sensitive  duties 
and  saterlal  for  a  period  prior  to  his  departure  and 
obtaining  svorn  statesents  froa  the  individual.  Debriefing 
in  itself  would  not  sees  to  be  very  effective,  but  as  a  part 
of  a  coaprehensive  prcgras,  it  nay  be  very  useful. 

The  unpredictability  of  husan  behavior  is  perhaps 
the  sost  cosplicated  variable  in  any  security  progras  but  a 
conscientiously  pursued  personnel  progras  that  includes  the 
steps  cited  above  can  reduce  personnel  security  risk  appre¬ 
ciably  and  say  localize  the  effects  of  personnel  threats,  k 
good  personnel  progras  is  not  the  answer  to  total  security. 
Systess  that  have  a  any  resote  users  often  cannot  apply 
parscnnel  surety  progras  techniques  to  the  vast  sajority  of 
their  custosers.  In  that  sort  of  situation,  other  counter¬ 
measure  types  aust  be  used. 

C.  COHHUlIClTIOffS  SBCVBITT 

Co ms unicat ions  security,  or  the  lach  thereof,  has  influ¬ 
enced  the  outcoses  of  wars,  the  success  of  private 
companies,  and  the  length  of  a  head  of  state's  term  of 
office.  Today,  the  technologies  that  enable  man  to  convey 
information,  especially  digital  information,  complicate  the 
security  problem  since  not  ona  of  these  technologies  is 
completely  secure. 


ivoilablo  ETw 


Bncryption  Is  ths  sost  vidssprsad  ssthod  of  coantsring 
coiisnlcation  throats.  Ths  tsshni^s  usas  soss  Tariabls  kay 
to  sssd  an  ancrypting  algorltha.  Tha  algocitha  scrasblas  ths 
transaittsd  inforsaticn  into  anlntalliglbls  cods  which  can 
be  unscraablsd  by  a  rsvsrsing  algoritha  at  ths  inforaation's 
destination.  Ths  saas  kay  east  be  used  to  seed  tha 
nnscraabling  algoritha.  Ths  ksys  can  be  changsd  psriodically 
or  thsy  nay  change  with  each  tra nsaission.  Historically,  the 
usefulness  of  an  encoding  algoritha  and  its  associated  keys 
has  been  an  inverse  function  of  the  tiae  it  reaains  in  use. 

One  technique  that  deserves  aention  as  an  aide  to  coaau> 
nication  security  is  not  really  an  established  security 
method  at  all,  but  rather,  a  side  effect  of  a  aessage 
routing  scheaa.  The  aethod  is  called  packet  switching  and  it 
is  used  to  solve  coaplex  aessage  relay  probleas  in  aediua  to 
large  networks.  The  streaa  of  inforaation  is  essentially 
chopped  into  variable  length  chunks  called  packets.  Figure 
6,1  illustrates  the  inforaation  that  is  affixed  to  the 
packet.  The  leading  and  trailing  edge  of  each  receive  a 
coded  sequence  that  essentially  keeps  each  packet  from 
coabining  with  other  packets,  Ks  the  aessage  leaves  its 
source,  a  software  generated  header  is  inserted  after  the 
leading  edge  indicator.  The  header  contains  inforaation 
such  as  the  source  of  the  aessage,  the  destination,  the 
aessage  nuaber,  the  packet  number,  and  other  pertinent 
inforaation.  Each  packet,  with  all  its  added  information, 
is  then  routed  to  its  destination  via  varying  routes.  As 
Figure  6,2  shows,  all  packets  do  not  have  to  take  the  same 
path  to  the  destination  and  may,  in  fact,  arrive  at  the 
destination  out  of  sequence,  A  hardware  device  at  the  desti¬ 
nation  then  strips  the  added  inforaation  from  each  packet 
and  asseables  the  aessage  in  tha  proper  order.  The  security 
aspect  of  packet  switching  lies  in  the  fact  that  the  various 
packets  of  a  given  message,  may  take  different  paths  to  the 


fi^ur*  6*1  typical  Packet  Constaction. 


intended  destination.  A  penetrator  that  has  tapped  one 
segment  of  the  network  may  or  may  not  receive  the  entire 
message  and  nay  receive  the  packets  out  of  sequence.  Packet 
switching  is  not  a  reliable  security  aethod  because  the 
movement  of  the  packets  in  the  network  is  random  and  as  such 
does  not  negate  the  possi'-ility  that  an  entire  message  nay 
move  over  the  same  path. 

Eavesdropping  is  the  primary  threat  to  communication 
security,  but  there  are  two  other  threats  that  account  for  a 
small  percentage  of  the  total  communication  threat.  The 
denial  of  ccnnunicaticn  by  jamming  the  communicating  signal 
or  by  simply  cutting  the  connecting  cables  is  one  of  these 
threats.  The  only  way  that  this  problem  can  be  averted  is 
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Figrnr*  6.2  Bepr«s«ntatiTtt  Packet  switching  letwork. 


through  the  use  of  back-up  of  transmission  media.  The  other 
low'percentage  threat  is  the  re-routing  of  communications  ro 
unintended  destinations.  This  is  primarily  a  software 
problem  and  will  dealt  with  later  in  this  chapter. 

D.  EHAHATIOKS  SECUBITT 

There  are  three  basic  countermeasures  that  can  be  used, 
indiwidually  or  in  parallel,  to  mimimize  information 
compromise  through  emanations  in terceptionc 

1.  The  first  method  is  simply  the  establishment  of  a 
physical  buffet  area  around  the  computer  installa¬ 
tion.  The  radius  of  such  an  area  depends  on  the 
strength  of  the  emanations  and  the  probable 


sensitivity  of  an  esnnations  receiving  device,  bat  a 
coeson  figure  used  is  300  yards»  The  strength  of  the 
enanations  signal  is  dependent  upon  the  naintenance 
status  of  the  equipaent  and  the  eethod  of 
installation. 

2.  The  second  net hod  is  the  reduction  of  the  enanating 
signal  through  the  um  of  appropriate  sheilding.  In 
nany  instances,  coaputer  conplexes  are  lined  with 
sheet  aetal. 

3.  The  third  aethod  is  the  adjusting  of  the  equipaent  to 
liait  enanatiot  strength. 

E.  BARDVIBE  SBCORITT 

Hardware  counterneasures  are  designed  to  coabat  threats 
to  data  integrity.  The  physical  iaplementations  of  hardware 
security  devices  take  several  forns  but  all  are  constructed 
to  assure  reliability  in  the  internal  procedures  of  the 
machine.  The  following  hardware  security  features  are 
coanon: 

1.  Host  central  processing  units  (CPU)  utilize  an 

instruction  set  that  is  split  into  privileged  and 
n on-privileged  portions.  Privilegsd  instructions  are 
those  that  are  used  by  the  operating  system  to 
perform  its  supervisory  tasks  and  are  not  accessible 
to  the  user.  Any  attempt  to  invoke  a  privileged 
instruction  from  other  than  the  operating  system 
causes  an  exception  condition  and  all  processing  of 
the  job  ceases.  Unfortunately,  many  trapdoors  use  the 
interupt  feature  of  the  system  as  their  activation 
signal.  This  type  threat  must  be  dealt  with  as  a 
software  threat  as  covered  in  the  next  section. 

2.  Memory  locatijjs  within  the  physical  machine  contain 
various  kinds  of  information.  The  operating  system  of 


a  coaputer  is  noraallf  resident  in  sose  ezclosiee 
portion  of  sesory  and  should  not  ba  accessible  to  the 
user.  A  typical  method  for  elisinating  ‘potential 
attespts  to  alter  the  operating  systes  or  other 
sritical  storage  area  salces  use  of  bounds  registers. 
Bounds  registers  contain  the  addresses  of  the  first 
and  last  locations  of  areas  in  sesory  that  belong  to 
individual  data  sets  or  programs.  An  attempt  by  a 
user  program  to  access  information  outside  the 
confines  of  the  area  defined  by  the  bounds  registers 
will  cause  an  Issediate  exception. 

3.  Parity  checking  is  another  hardware  convention  that 
promotes  data  integrity.  In  simple  terms,  parity 
checking  involves  the  inspection  of  an  added  bit  that 
is  tacked  on  to  each  data  unit  (byte,  word,  half¬ 
word).  The  added  bit  signifies  whether  the  data  unit 
contains  an  odd  or  even  number  of  1*s  or  O's.  if  the 
data  is  altered  in  some  way,  the  chances  that  other 
adjacent  data  being  altered  is  probable.  As  the  data 
units  are  read,  each  of  the  parity  bits  are  checked. 
If  one  of  the  parity  checks  do  not  natch,  a  hardware 
exception  will  occur. 

4,  Automatic  terminal  identification  is  another  hardware 
security  measure.  When  a  terminal  is  turned  on,  an 
automatic  signal  is  generated  that  identifies  that 
terminal.  If  the  code  received  by  the  processor  does 
not  agree  with  the  list  of  authorized  terminal  codes, 
the  terminal  in  question  is  locked  out.  This  situa¬ 
tion  can  occur  when  a  penetrator  attempts  to  rap  into 
a  system  using  his  own  terminal. 

The  above  methods  of  hardware  security  are  generalized 
and  cover  a  wide  range  of  specific  i mpleientations,  other 
error  detection,  identification,  and  interrupt  designs  are 
frequently  used  and  are  usually  automatic.  The  computer 


8yst«a  aanagar  should  ba  Intacastad  in  vhat  aathods  ara 
avallabla  on  rarloas  aachinas  so  that  intalligant  jadgaaants 
can  ba  aada  daring  procoraaant  avolations.  Bayond  that 
aspact  of  hardvara  sacarity^  tha  aanagar  has  littla  control 
oyar  hardvara  sacnrlty. 


F.  SOFT BAKE  SBCORXTT 

Softvara  coantaraaasaras  ara  tha  aost  naaaroas  typa  of 
security  davica  and  ara  noraally  designed  to  liait  access  in 
soae  aannar.  Tha  following  paragraphs  describe  soae  typical 
softvara  security  aathods. 

1.  Tha  Security  iCarnal 

Tha  security  kernel  is  essentially  a  series  of  snail 
subroutines  that  liaits  the  access  of  other  pcogransr 
iacluding  tha  operating  systea.  The  design  of  the  kernel  is 
based  on  a  precise  specification  or  aataatical  aodel  of  its 
function.  The  aodel  is  conposed  of  a  set  of  access  rules 
plus  a  set  of  user  attributes  (clearance,  need  to  know)  and 
inforaation  attributes  (classification)  *Bef.  1h:  p.  28]. 
Figure  6.3  shows  the  conceptual  fora  of  a  security  kernel. 
Note  that  it  eaploys  a  front-end  processor  and  that  it  is 
the  base  layer  in  the  typical  software  hierarchy.  The 
kernel  programs  objectively  evaluate  access  requests  (read, 
write,  use)  issued  by  a  user,  by  another  program,  or  by  the 
operating  systea.  The  overhead  of  the  kernel  is  reputed  to 
be  minimal. 

2. 

Password  systems  are  mul^i- layer  software  overlays 
(see  Figure  6.4)  that  approve  and  deny  access  based  on  a 
user  response  to  a  password  request  from  the  system.  Oser 
responses  are  matched  against  a  password  file.  If  a 


APPLICATIOR 

PBOQBAMS 


Figur*  6.3  Conceptual  Tiev  of  a  Sacarity  Karnel. 


correct  response  is  made  to  a  password  request,  access  is 
granted;  otherwise  access  is  denied  and  terninal  lockout  may 
occur.  Each  user  can  either  have  multiple  passwords  that 
access  different  layers  of  information  (programs,  data, 
service  requests),  or  have  a  single  password  that  accesses 


all  larars.  Bhlch  avar  aathod  is  asad,  tha  password  fila 
aast  also  ba  protactad  in  soaa  way  (anccyption)  •  Password 


Figure  6.4  Layered  Password  Systaa. 

systems  are  probably  the  most  widely  used  of  the  software 
countermeasures,  but,  due  to  carelessness  in  the  handling 
and  assignment  of  the  passwords,  they  are  also  the  most 
widely  penetrated. 
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3.  £Ufi  naiiists 

File  eatrices  operate  each  like  password  systess. 
Each  file  is  prefixed  with  a  table  that  lists  those  pcograas 
and  users  that  are  authorized  access.  Instead  of  listing 
each  user  or  using  pzograa,  sose  aatricas  use  classifica* 
tions  of  users,  inother  variation  eay  be  constructed  in 
either  of  the  above  ways  and  will  contain  additional  infer- 
nation  as  to  the  level  of  use.  The  levels  of  use  include 
categories  such  as  "read",  "write",  or  "use",  "read"  allows 
the  user  to  read  the  file,  "write"  allows  a  user  to  write  to 
a  file,  that  is,  nodify  it,  and  "use"  allows  neither  "read" 
or  "write"  capability,  but  allows  the  use  of  the  file.  The 
eat rices  can  be  very  siaple  or  very  conplicated  and 
depending  on  the  the  degree  of  conplication,  incurs  a 
connensurate  run-tine  overhead. 

4.  Proaran  Auditors 

Progran  auditors  are  progress  designed  to  check 
other  prograns  for  integrity.  A  typical  auditor  will  deter¬ 
mine  the  nunber  of  lines  of  code  in  a  particular  program  and 
compare  its  finding  with  a  table  containing  the  number  of 
lines  the  program  is  supposed  to  have.  This  countermeasure 
is  designed  to  prevent  the  insertion  of  trapdoors  and  trojan 
horses  or  the  deletion  of  critical  portions  of  a  program.  A 
much  more  complex  version  of  the  sane  idea  is  a  progran  that 
checks  the  number  of  operators  and  the  nuiber  of  operands  as 
well  as  the  value  of  the  constants  in  a  progran. 

These  are  but  a  few  of  the  software  countermeasures 
employed  by  various  installations.  The  security  kernel  is 
largely  experimental  at  this  writing  (although  the  concept 
was  originally  identified  around  1972)  and  the  other  methods 
have  their  individual  failings  and  drawbacks  such  as  exces¬ 
sive  run-time  overhead,  the  requirement  for  additional 


bardvartt,  a&d  tb«  asag«  of  aa  inordinata  aaooat  of  stocago 
spaco. 

6.  OTEBB  COOBTBMnSfBBS 

The  preceding  sections  have  delineated  several  specific 
coanterseasnre  sethods  that  are  designed  to  avert  specific 
threats  and  threat  classifications.  Tvo  very  isportant  conn* 
terseasnres  resain  that  are  sajor  parts  of  a  risk  aanagesent 
prog  ran. 

The  first  of  the  two  sethods  is  auditing.  inditing 
entails  the  establishnent  of  a  comprehensive  aechanisa  for 
confirming  the  reliability  and  the  "correctness**  of  the 
system.  The  most  important  pact  of  the  auditing  system  is 
the  construction  of  an  audit  trail.  iudlt  trails  ace  based 
upon  single  transactions  emd  involye  the  establishnent  of 
corroborating  evidence  of  who  entered  the  system,  what 
resources  were  used,  and  what  the  result  was..  It  is  beyound 
the  scope  of  this  thesis  to  attempt  a  full  ezplaination  of  a 
audit  trail  model,  however,  the  reader  is  encouraged  to 
consult  the  writings  of  Bjork  [Ref.  11:  pp.  229- 2h5]  for  a 
comprehensive  disertation  on  the  subject. 

The  second  important  risk  manageneat  method  concerns 
contingency  planning.  Contingency  planning  is  the  method  by 
which  recovery  from  the  failure  of  countermeasures  is  accom¬ 
plished.  ks  such,  it  addresses  every  category  of  loss  and 
every  threat  that  a  specific  installation  is  vulnerable  to. 
A  typical  contingency  plan  covers  the  topics  listed  in  Table 
17  but  peculiar  needs  of  a  particular  AOP  activity  should 
also  be  included. 


TIBU  Zf 

CoatingvBcy  Plan  Tasks  a  ad  RaspoasiblUtiss 


1. 

2. 

3. 

4. 

5. 

6. 

7. 


10, 
1 1, 
12. 

13, 

14, 

15, 


>oix'5SS?SS*?i.. 


Idsntificatlon  of  contiogancy  conditions 
BTacaation  pcoosdaros 

Possrinq.dovn  - 

Flood  and  f 
Firs  plan 

ciarailisd^inf craation  sscnring/des traction  planning 

Back-up  planning 

Back-up  support  planning 

RscOYsry  planning  ... 

Tesporary  sits  raquirsasats  and. ssl action 
Har  avars/so  ft  wars  procuraasnt  planning 
Easrgsncy  fund  procursaant 
Contingsncy  training 
Hass  asdical  assrgancy 


fzi.  4  sQatjjin  sismii  snim 


I.  BlCEOEtOOn 

Chapters  1  through  6  have  dealt  with  the  scope  of  the 
security  probles  facing  the  coaputer  systess  sanagac,  the 
legislation  and  directives  concerning  the  topic,  sose  risk 
sanageaent  technigues,  and  the  threats  to  coaputer  security 
and  the  count eraeasu res  frequently  used  to  coabat  those 
threats.  The  purpose  of  the  preceding  chapters  has  been  to 
give  the  apprentice  coaputer  systeas  aanager  a  conversa¬ 
tional  knowledge  of  the  topic  and  to  eaphasize  the 
procedures,  lavs,  and  aethods  used  by  the  aanager  in  the 
perforaance  of  his  duties.  The  aanagers  of  today*s  ailitary 
coaputer  installations  aust  not  only  be  proficient  in  their 
assigned  tasks  as  aanagers,  they  aust  also  be  proficient  as 
soldiers,  sailors,  airaen  and  Marines,  ks  such  the  ailitary 
coaputer  systeas  aanager  aust  contend  with  physical  fitness 
training  for  hiaself  and  his  sen,  ailitary  training,  drug 
and  alcohol  abuse  prograas,  huaan  rights  seainars,  gun 
polishing,  boot  shining,  etc.  It  is  therefore  fair  for  a 
fledgling  aanager  to  inquire  a s  to  how  one  does  it  all. 
Further,  in  the  context  of  this  thesis,  how  is  coaputer 
security  treated  in  the  typical  ailitary  coaputer  center  and 
what  priority  is  it  accorded? 

In  an  atteapt  to  answer  those  questions,  and  zo  gain 
soae  first  hand  knowledge  of  the  techniques  eaployed  by  the 
ailitary  to  coabat  coaputer  fraud  and  aisusA,  a  survey  of  a 
typical  ailitary  data  processing  center  was  conducted.  The 
survey  approach  was  that  of  a  learning  evolution  with  the 
chief  benefit  going  to  the  author.  Since  the  remainder  of 
this  chapter  takes  cn  the  characteristics  of  a  critical 


r*Tl««,  th«  naa*  of  tha  coapotar  iastallatioc  ancaayad  will 
not  bo  aoBtionod  to  pxoclado  caporcassions  that  night  occur 
duo  to  tho  contwt  of  tho  survaj* 

B.  ZIS7B11BTZ0B  OISCIZBTZOB 

Coapotor  inatallationa  ara,  for  tha  aost  pact,  task 
organizad.  As  such,  tho  tfpo  and  sizo  of  oguipsont,  nuabor 
of  oporators,  cosaunications  aadia,  and  anwiconaant  aay  vary 
widoly.  Sinco  diffccont  installations  raquiro  diffocont 
sacurity,  a  doscription  of  tha  sucvoyad  eoaputac  cantor  is 
prasontad  to  put  tha  sacurity  critiqua  that  follows  in 
parspoctiva. 

Tha  Conputar  Data  Procassing  Activity  (CDPA)  survayad 
had  racantly  coaplatod  a  rolocatioi  to  a  new  aulti-purpose 
building  that  had  boon  design ad  spacifically  for  tha  unique 
environaant  that  a  conputar  canter  raquicas,  Tha  transfer 
of  tha  organization  *s  hardware  was  acconplished  without 
■aloe  difficulty.  Tha  hardware  presently  operated  by  the 
CDPA  consists  of  a  16  nagabyte  core  nenory,  a  CPU  sisilar  to 
an  IBH  370,  46  disk  units,  42  tape  drives,  and  an  external 
consunications  device.  The  operating  systen  is  sinilar  to 
the  IBM  HVS/VM  systex  and  supports  both  a  variety  of  local 
and  renote  job  entry  access  devices.  Figure  7.1  shows  the 
organization  of  the  local  area  network.  The  CDPA  is  one  of 
seven  najor  nodes  on  a  world  vide  network  with  connunication 
between  codes  provided  largely  by  connercial  telephone  and 
nicrewave  nedia.  Figure  7.2  shows  the  organization  of  the 
world  wide  network.  As  the  figure  shows,  the  network  is 
organized  so  as  to  provide  connunication  links  between  najor 
nodes.  Connunication  is  acconplished,  in  nost  cases,  via 
perferrad  routing  but  alternate  routing  is  available  in  the 
event  of  degradation  or  failure  of  najor  node  connunication 
capability.  The  external  conn  unications  device  functions 
separately  fron  the  cenputer  systen  thus  allowing 
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Figure  7.5  Data  Processing  Billets 


data  transaisslon  to  cccur  during  coaputer  systca  down  tlae. 
Th«  local  area  natwork  is  support ad  by  the  saaa  aztaraal 
cos aunicat ions  aguipaant  but  thare  is  no  radundant  routing 
faatnre  aaployad. 

Tha  CDPA  is  aannad  by  a  ailitary  to  civilian  (6S) 
parsonnal  ratio  of  3  to  1.  Tha  director  and  his  assistant 
ara  ailitary  and  the  several  aajor  departaents  are  headed  by 
an  approxiaataly  egual  nuabar  of  ailitary  and  civilian 
parsonnel.  Tha  CDPA«  as  veil  as  the  seveo  ether  aajor  nodes 
support  a  variety  of  integratai  databases  and  applications 
including  personnel  nanagen«it,  logistics,  and  operations 
support.  The  CDPA  itself  supports  no  classified  processing 
but  does  process  sensitive  to  aoderataly  sensitive  inforaa' 
tion.  The  security  officer's  position  is  assigned  to  tha 
con  aunicat  ions  office  i  as  a  collateral  duty. 

The  CDPA  is  currently  experiencing  a  capacity  problen  as 
Figure  7.3  illustrates.  Tha  capacity  problea  is  caused  by 
inadeguate  CPU  speed/ capacity  during  peak  interactive 
terninal  demand  and  is  causing  a  serious  response  tine 
problea  during  those  periods.  Figure  7.!»  shows  the  histor¬ 
ical  and  projected  growth  of  the  nuaber  of  interactive 
tsrainals  in  the  world  wide  network.  Assuming  that  the  CDPA 
will  support  a  fair  share  of  the  the  anticipated  growth,  it 
is  obvious  that  the  capacity  problea  now  being  experienced 
will  certainly  be  aggravated. 

Another  problen  being  experienced  by  the  CDPA  specifi¬ 
cally  and  this  particular  military  service  in  general,  is 
the  number  of  data  processing  billets  available.  Figure  7.4 
implies  that  the  personnel  workload  for  the  total  system 
will  soon  increase  rapidly.  Figure  7.5  ,  however  projects  a 
rather  stable  number  of  data  processing  billets.  It  is 
expected  that  future  hardware  procurements  will  partially 
respond  to  this  problem  by  way  of  technological  advances.  It 
is  felt,  however,  that  these  advances  will  not  acconmmodate 


63 


th«  IncTMMd  workload  totally.  Tha  ralawancy  of  this  obsar- 
▼ation  and  that  of  tha  capacity  problaa  to  coapatar  aacarity 
will  ba  astabllshad  latar  in  this  chaptar. 

Tha  attitada  of  top  aanaganant  toward  tha  tha  sacarity 
of  thair  systaa  is  an  iaportant  ingadiant  in  tha  lawal  of 
systas  sacnrity  in  any  systaa.  Tha  waaknassas  of  this  CDPk*s 
security  systaa*  as  Idantifiad  in  this  thesis,  cans  as  no 
surprise  to  tha  Installation's  chief  axacutiwas.  Because  of 
tha  absence  of  classified  processing,  the  chief  concern 
expressed  in  aany  of  the  intarwiaws  was  for  data  integrity 
and  protection.  Systaa  confidentiality,  it  was  obsarwad, 
coaaandad  wary  little  attention. 

C.  COIOOCT  0?  TBB  SOBfBT 

The  survey  was  conducted  according  to  a  consolidated 
checklist  cosposed  of  inputs  froa  two  eery  coaprehensiwe 
checklists  7]  and  [Ref.  S].  Each  checklist  itaa  was 

either  personally  observed  by  the  suveyor  or  addressed  in 
one  of  several  interviews.  ?oc  the  puposes  of  this  thesis, 
each  aajor  checklist  category  was  reduced  to  consents  about 
particular  probleas  oz  highlights  and/oc  a  category  posture 
statement.  The  aain  areas  of  investigation  are  listed 
below. 

•  Risk  Hanagement 

•  Physical  Security 

•  COHSEC 

•  Emanations  Security 

•  Hardware  Security 


Software  Security 


P«csoim«l  S«ciiritf 
contingency  Planning 


1-  SisJS  AiAftflMtfii 


is  discnsssd  in  an  sarlisr  shaptsc,  risk  sanagsasnt 
is  the  dynaaic  process  by  vhieh  the  total  of  all  systea 
threats  is  assessed  and  through  vhieh  the  trade  offs 
between  security  safeguards  and  the  expenditure  of  resources 
are  detersined.  The  COP A,  it  appears,  has  only  a  general 
skeleton  of  a  risk  nanagesent  pcograe  in  place.  There  are  no 
local  risk  nanageaent  publications  and  no  one  person  is 
directly  responsible  for  the  preparation  of  a  risk  eanage* 
■ent  prograa.  Sisk  aanageaent,  at  best,  is  in  an  infancy 
stage  within  the  COPA.  In  the  author* s  opinion,  a  valuable 
opportunity  for  the  initiation  of  a  risk  nanageaent  prograa 
was  foregone  during  the  conception  and  planning  stages  of 
the  the  COPA* s  recent  relocation.  An  obvious  flaw  'in  the 
design  of  the  new  building,  in  terns  of  conputer  security, 
was  discovered  during  the  survey  and  addressed  under  phys* 
leal  security  later  in  this  chapter.  If  the  building  had 
been  designed  with  security  in  wind  froa  the  outset,  (for 
instance,  with  a  risk  nanageaent  teaa  as  part  of  the  design 
connittee)  ,  the  physical  security  would  have  been  enhanced. 

Although  no  fornal  risk  nanageaent  system  exists  at 
the  COPA,  it  was  obvious  to  the  observer  that  the  level  of 
security  awareness  was  extremely  high.  In  small  systems,  a 
very  high  level  of  security  awareness  aay  be  substituted 
successfully  for  a  risk  management  prograa.  In  an  oeganiza- 
tion  the  size  of  the  COPA,  a  risk  management  program  is 
highly  desireable.  The  complexity  of  the  TOP  A  system  is  such 
that  a  highly  organized  and  systematic  approach  to  the 
security,  integrity,  and  confidentiality  of  the  systea 
assets  is  essential. 


2.  EtlUsal  SlSttia^I 


with  th«  •xc«ption  of  soao  obtrioas,  oasily  corroc- 
table  diacrapancias,  the  physical  sacarity  of  tha  CDPI 
appears  to  be  superior.  Tha  building  in  which  tha  CDPh 
resides  sarwas  both  tba  CDPi  and  a  elosaly  related  activity. 
Both  organizations  aaintain  independent  operations  and  very 
little  infrigeaent  on  each  oth»r*s  spaces  is  required.  The 
building  itself  is  constructed  of  fire  retardent  aaterials. 
It  is  located  on  a  lilitary  reservation  with  regular  and 
frequent  silitary  police  patrols.  Response  tine  of  both  the 
silitary  police  and  the  fire  departaent  has  been  been  tested 
at  less  than  two  ainutes.  The  building's  fire  alara,  detec¬ 
tion,  and  extinguisher  systeas,  the  electrical  power  systea, 
and  the  environaental  systea  are  all  redundantly  installed. 
Storage  areas  and  user  access  points  are  physically  sepa¬ 
rated  froB  the  aain  ccaputer  rooa. 

There  are  two  chinks  in  the  physical  security 
systea.  Two  very  large  windows  are  located  in  the  coaputer 
rooa.  Although  the  windows  ace  reputed  to  be  very  strong  and 
highly  resistant  to  breakage,  their  presence  causes  exces¬ 
sive  solar  heating  during  the  warmer  months  of  the  year.  The 
windows  are  located  directly  over  a  large  bank  of  disk 
drives  at  one  end  of  the  rooa  and  over  the  communications 
device  at  the  other.  The  increased  heat  has  not  caused  an 
undue  number  of  disk  drive  failures  or  communications  prob¬ 
lems  to  date,  but  the  service  life  of  both  devices  may  be 
adversely  affected  if  positive  measures  are  not  taken. 
There  is  currently  a  work  order  on  file  at  the  local  facili¬ 
ties  maintenance  organization  requesting  that  the  windows  be 
removed  and  replaced  with  concrete  and  brick.  The  request 
had  been  outstanding  for  several  months  at  the  time  this 
survey  was  taken. 


Th«  second  phial  cal  aaeacity  prahlaa  ia  tha  a^Moa 
of  a  aoitabla  archival  atoxafa  araa.  It  praaaat*  asaldvaX 
fila  atorapa  is  locatad  la  tha  basaaaat  of  tha  bailiiaf  a 
eindar block  vaalt.  fha  vault  has  its  ova  aivicoaaaatai 
coatzol  aad  fira  aztiagai^iap  systaM,  bat  it  is  looatad 
naxt  to  a  aapply  stccaxooa  fillad  with  aatariala  sack  as 
coatlanous  fora  papar  aad  di^lieatiag  flaid.  Xa  tha  aatbor*a 
astiBatioa,  this  arzaagaaaat  is  aot  adaqaata  for  archival 
storage  aad  is  ineoaslstant  with  tha  CDPl's  coacara  for  data 
latagrity.  A  possibla  raaady  for  this  iaadagaacy  sight  ba 
tha  use  of  aa  aadargrouad  malt  loeatad  oatsida  tha  paria* 
atar  of  tha  buildiog.  lot  oaly  doas  this  arraagaaaat 
ainialza  tha  threat  of  fira  froa  tha  adjasant  storarooa,  it 
protects  tha  archival  files  froa  baildiag  collapse  in  case 
of  fire  or  natural  disaster. 

3.  SgMflflAgfltiaafl  Sgguilx  (£QflSS£) 

Tha  CDPA  doe  a  not  aaploy  any  extraordinary  COBSSC 
technigaas  or  devices.  Data  coaaanication  between  tha  CDPAr 
its  raaota  job  entry  sites,  and  other  nodes  in  the  vorld 
wide  network  is  accoaplished  ovar  coaaerclal  telephone  lines 
and  alcrowave  relay.  Packet  switching  and  encryption  tech¬ 
niques  are  not  used  because  of  the  absence  of  classified 
data  files  resident  on  the  CDPA 's  storage  aedia.  Further, 
the  users  of  the  inforaation,  superior  levels  in  the  coaaand 
chain,  do  not  support  encryption  because  they  percieve  no 
need  or  utility  froa  the  technique. 

There  is  at  least  one  reason  to  support  tha  eaploy- 
aent  of  COHSEC  aeasures.  Although  no  single  piece  of 
inforaation  is,  in  itself,  classified,  a  particular  proces¬ 
sing  application  could  coabine  inforaation  in  such  a  way 
that  the  aggragated  inforaation  could,  in  fact  be  useful  to 
a  potential  penetrator.  There  is  little  doubt  that  the 
coaputer  professionals  of  the  CDPA  have  recognized  this 


possibl*  loo^boX*  bat  tb«lr  basti  as*  foXitictlly  tiaA* 
Thaix  task  is  aot  pxootdasoX  at  tbis  peiat,  it  is  pslltieal. 
Th«  tMistanes  of  soaioxs  lb  tb» '  eossiaMl  obtia  to  tbo  iaeex- 
poratioa  of  COBSBC  sost  bo  avoccoso  baforo  soaooao  olso 
locatos  tbis  voakaoss  in  tbs  systos. 

«•  gimUgM  siatAja 

Tho  CDPi  has  no  osanntions  soeacity  proeodaros  or 
davicos  in  plaeo.  Tho  saltiprograasing  fontnro  of  tho  opora- 
ting  spstoa  is*  in  tho  opinion  of  tho  installation 
conaandor*  a  snfficiont  eonfldontialitf  safogaard  against 
tho  intontional  procnzosont  of  sonsitioo  inforaation  through 
oaanations  intorcoption.  >oto  also  that  tho  cost  of 
shloldiag  a  facility  tho  siso  of  tho  COPi  against  oaanations 
throats  voold  aost  likoly  bo  prohibitioo. 

S*  Hardwaro  SocaritY 

Tho  oqto^paont  oporatoi  by  tho  CDPi  is  aodorn  and 
incorporatos  aany  of  tho  hardwaro  foatnros  condacivo  to  data 
pcotoction  into  -^ho  systoa.  Tho  following  is  a  listing  of 
tho  hardwaro  socnrity  attribatos  presont  in  the  CDPi 
pquipaont. 

•  PriYilogod  and  nan'-priwilsgod  instrnction  set 

•  Sogistor  error  detection  and  redundancy  checks 

•  Error  detection  daring  fetch  cycle 

•  Heaory  bounds  checking 

•  iutoaatic  prograa  interrupts 

•  BMOte  input/ out  put  identification 

•  User  isolation 


Controlled  supervisory  node  access 


6.  software  SfcuritT 

At  the  beginning  of  this  cbnptec,  it  was  noted  that 
the  CDPA  waa  ezperieneing  a  CPO  capacity  probXea,  Boeha 
[Bef.  12:  p.  13]  pointa  ont  that  the  coat  of  aoftvara  begina 
to  incraaae  inereaae  ateeply  at  approxiaataly  the  85X  aatn- 
ration  of  CPO  or  aenory  capacity  of  a  given  ayatea. 
Although  he  doea  not  explain  the  aonrcea  of  hia  obaervationr 
the  general  explaination  for  the  sudden  juap  in  software 
cost  is  a  drop  in  prograaeer  productirity  caused  by  an 
eephasis  being  placed  on  software  efficiency.  Vulf  [Bef.  13: 
p.  95 ]«  obaerwes  that 


acre  coapgtlng  sins  are  coeeitted  in  the  nane  of  effi¬ 
ciency  (without  necessarily  achiewelng  it)  than  for  any 
other  single  reason... 


Efficient  code,  albeit  desireable,  has  the  innate  quality  of 
being  difficult  to  read  and  understand.  This  certainly 
coaplicates  the  task  of  the  eaintenance  prograaaer.  Add 
this  conplication  to  the  fact  that  the  CDPA  anticipates 
prograaaer  workload  to  increase  and  the  stage  is  set  for  the 
eaphasis  to  be  reaoved  froa  proven  software  design  aethods. 
The  end  result  of  an  eaphsis  on  efficient  running  code  is 
that  security  takes  a  backseat  and  the  unstructured  code 
becoaes  a  effective  hiding  place  for  subversion  techniques. 
It  is  unlikely  that  the  CDPA  will  have  auch  success  with 
security  software  until  their  capacity  problens  are  solved. 
It  must  be  acknowledged,  at  this  point,  that  the  CDPA  has 
plans  to  acquire  additional  CPD  capacity.  In  addition,  a 
software  overlay  -  essentially  a  password  systea  -  is  being 
tested  for  use  on  the  aa  jor  nodes  on  the  world  vide  network. 
At  the  tiae  of  this  writing,  however,  the  only  data  protec¬ 
tion  software  in  place  was  a  data  base  language  systea  using 
an  integral  data  dictionary. 
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’f^  PTgQnnal  sacarltT 


P«rsoan«l  ■•earity  at  tka  CDPi  appaars  to  ^ 
adaquata,  Tha  aCTaaning  of  pacsonnal  foe  datp  in  tha  data 
procassing  fiald  la  this  branch  of  tha  aLlitary  la  coaplata 
and  laxy  aalactiva.  Boat  of  tha  paraonnal  at  tha  CDPi  haaa 
"SBCSET"  aacarity  claarancaa  and  aach  paraon  la  ragairad  to 
attand  intanaiaa  aacarity  training  prior  to  aaaaaing  datiaa. 
Regularly  achadalad  rafraahar  training  La  accoaplishad  in 
accordanca  with  tha  local  aacarity  plan.  Daa  to  tha  diffi* 
culty  encoantarad  in  tha  ratanaion  of  highly  trained 
paraonnal,  thara  is  no  aachaniaa  for  rotating  paraonnal 
through  Tarious  billets.  This  problaa  is  sarslca  wide  and 
not  directly  attributable  to  CDPA  sanagaaant  technigaes. 


Bigaaltat 


Uhfiaina 


Prior  to  tha  relocation  of  tha  CDPA,  a  coaprahansxve 
contingency  plan  was  dawalopad  by  the  CDPA  director  and  his 
staff.  At  the  time  of  dawelopaant,  tha  CDPA  was  located  in 
an  older  building  considerably  sora  wulnarable  to  physical 
threats  and  natural  disaster.  The  plan  included  purchasing 
contingent  capacity  fros  a  coaputer  sactrices  vender.  The 
plan  was  rejected  by  upper  level  aanageeent  because  it  was 
too  expensive.  There  exists  some  autual  bachup  capability 
between  the  sajor  nodes  in  the  world  wide  network  and  the 
feeling  is  that  priority  processing  could  be  begin  within  48 
hours  of  a  disaster  using  other  nodes'  capability,  but  there 
is  no  published  contingency  plan  and  the  recovery  plan  is, 
of  course,  dependent  on  the  availability  of  archival  files. 
The  fine  points  of  this  infernal  recovery  plan  are  obscure 
both  to  the  observer  and,  it  is  suspected,  to  CDPA 
personnel.  The  topic  of  backup  is  nentionsd  at  every  nesting 
of  CDPA  coBsanders  but  the  fornal  declaration  of  a  plan  is 
probably  years  away. 
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fill.  CQKLPSlDtS 

Th«  iBt«Bd«d  parpoBB  of  this  thssls  is  to  prsssBt  ths 
rsBdsr  bb  ovsrfisv  of  cooputor  sscBCity  SBd  to 

sneonrsfo  farthsr  study  of  ths  snbjset  by  thoss  who  csts* 
gorizs  thsssslsTSS  ss  cospotsr  systsss  Bansg«rs.  Ths  ssjor 
a&asrlylng  objsetivss  of  this  work  ars  to  coBSsy  ths  broad 
scops  of  ths  topic,  dts  ths  isportaBcs  of  risk  sa&agsssnt, 
and  to  prsssnt  what  ths  author  bslisvss  to  bs  ths  orsrall 
status  accordsd  cospotsr  sscttity  in  ths  contssporary  kOP 
enrlronssnt.  This  last  objsctivs  is  ths  sabjsct  of  ths 
following  paragraphs. 

ihils  it  is  difficult  to  gansralizs  about  a  population 
using  a  saapls  sizs  of  ons.  ths  iaplications  of  ths  surrey 
sussarizsd  in  Chapter  7  hare  been  inforsally  corroborated  by 
conrsrsations  with  actirs  and  past  eosputer  professionals. 
Ths  aost  pointed  cosasntary  is  a  article  by  kir  Force 
Colonel  Bogsr  Schell,  [Bsf.  14:  p.  16*33],  past  instructor 
at  the  faral  Postgraduate  School  in  Hontecey,  California  and 
currently  the  Deputy  Director  of  DOD  Cosputer  Security 
Eraluation  at  Ft.  Heads,  Haryland.  In  the  article.  Colonel 
Schell  warns  of  the  dangers  that  result  from  a  lack  of  an 
aggressire  security  pcsture  and  is  critioal  of  the  present 
state  of  silitary  cosputer  security.  In  view  of  this  obser* 
ration  by  the  fores cst  cosputer  security  expert  in  the 
Departaant  of  Defense,  the  following  obserrations  are  aade. 

First  and  foresost  an  infor nation  systen  should  perforn 
its  intanded  task  as  well  as  its  conceptual  planning  allows, 
k  secondary,  but  iaportant  portion  of  the  inforaation 
systen* s  task  is  to  ensure  that  the  quality  of  the  inforna* 
tion  it  contains  is  presered  and  that  tta  diseaination  of 
that  inforaation  is  aade  select irely.  saying  that  another 
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vay  -  th«  Infonatica  aystaa  should  ansuES  atrailability, 
intsgrity,  and  confidantiality  of  ths  infocsation  it  stoEos 
and  opaEatss  upon.  Zf  an  InfoEuation  systan  doss  not  pEOvldo 
thass  assuEaness  in  sous  gEoatac  dagEaa,  it  is  pEobabla  that 
ona  of  t ha  following  conditions  ana  pnasant: 

•  sanagasant  ignoEanca 

•  lack  of  EasouEcas 

•  lack  of  sacuEity  saintanaaca 

Tha  fiEst  conditicn  is  not  wldaspEaal  at  tha  installa¬ 
tion  lawal.  It  is  Bora  a  failing  of  aanagasant  lawals  abowa 
wheta  aanagars  ana  not  likaly  to  ba  cosputar-ociantad 
personnal  and«  as  such#  hawa  wacy  littla,  if  any»  faal  for 
tha  wulnaEability  of  ooiputars.  Onfortunataly,  thosa  sasa 
uppaE- lawal  aanagars  also  control  tha  financial  and 
personnal  assats  raqnirad  to  iapleaant  security  assurance. 

Tha  sacond  condition  is  a  problea  faced  by  both  ailitary 
and  ciwilian  aanagars  and  is  sal f-axplainatory. 

Tha  third  condition,  as  Schell  points  out,  is  tha 
continuing  relianca  on  established  security  aaasures  without 
periodic  rawiaw.  Ha  cites  historical  refarances  of  aisplacad 
trust  in  security  aaasures  (  tha  breaking  of  the  Garaan  and 
Japanese  coaaunication  codas  during  World  War  II)  and  urges 
aanagarial  personnel  to  continually  evaluate  security 
aea  sures. 

The  priority  accorded  coaputer  security  in  today's  ADP 
coaaonity  appears  to  be  low.  Since  the  tools  and  the  tech¬ 
nology  for  effective  security  are  availabla,  one  aust  deduce 
then,  that  coaplacency  is  the  chief  cause  for  this  undesire- 
able  status.  It  is  therefore  incumbent  upon  the  computer 
systems  manager  to  proaote  risk  analysis  and  to  educate  at 
all  levels  of  aanageaent  on  the  effects  of  a  poor  security 
progxaa.  Until  progress  is  made  in  reducing  the  complacency 
level,  the  very  fabric  of  the  decision  making  process  - 
inforaation  -  will  remain  unreliable. 
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